Cloud software is quickly becoming the norm for many businesses, but those businesses in the healthcare sector that need to adhere to HIPAA guidelines face additional security and privacy concerns that non-healthcare related businesses don't need to worry about. For any cloud system that stores PHI, it must be HIPAA compliant. Here is a checklist you can go through to see if your cloud provider is HIPAA compliant:
- Security policies: Carefully read through the cloud provider's security policies. Are they in line with the specific HIPAA guidelines, policies, and procedures? If not, then move on to another provider.
- Personal contact: A HIPAA compliant cloud provider will have an available personal contact who understands HIPAA guidelines and is responsible for matching the provider's policies with HIPAA guidelines.
- Access controls: If you're looking for a HIPAA compliant cloud provider, you must find one with access controls in place to limit physical on-site data access to a restricted set of people. Electronic identification is also included in access controls and should be monitored by the cloud provider.
- Encrypted data while in transit: Unless the cloud provider is also the processor for your data, it cannot control security before or after the transfer of information. However, it should ensure the data transfer is encrypted and therefore secure while in transit.
- Encrypted data while in storage: This applies if the cloud provider will be holding PHI files and other healthcare data on hard drives. The hard drives and any backup copies must be encrypted and accounted for at all times.
- Constant monitoring: In order for a cloud provider to be HIPAA compliant, it must include 24/7 monitoring of cloud information to ensure security and take note of any suspicious occurrences.
- Breach information and action: In case of a data or security breach, a HIPAA compliant cloud provider will have an incident reporting process that includes a detailed procedure for keeping the incident contained along with notification of Covered Entities in accordance with HITECH.
- Emergency and disaster recovery: Any good cloud provider will have a disaster recovery plan in case of natural or human-induced disaster. You should know what this plan is before signing on to a cloud provider.
- Location of data: It is crucial to know where your data is being stored with any cloud provider. Choose a provider that stores data within the United States, as foreign storage might result in unnecessary and un-secure searches by the foreign government.
- Experience: Most of all, you want to choose a cloud provider with a proven track record of providing secure HIPAA compliant services to healthcare providers. Avoid choosing a new company. With so much vital and private information on the line, it's best to go with a cloud provider you can trust.
Choosing a HIPAA compliant cloud provider necessitates a lot of research and these above steps, and you may still be questioning whether or not you need to use a cloud service. Contact us for more information on how to keep your office's network HIPAA compliant.