More and more doctors are using cloud-based services to store Electronic Protected Health Information (ePHI). Rather than storing ePHI on a local hard drive, doctors, dentists, chiropractors and other covered entities are making the transition to the cloud. Of course, there are several benefits associated with cloud technology in the healthcare sector. If a computer is lost or stolen, the risk of a breach is mitigated since data is stored on the cloud. Furthermore, covered entities and their respective workforce can access ePHI from any applicable computer when it's stored on the cloud.
But if you're a covered entity who's thinking of making the transition to the cloud, you might be wondering whether or not mobile devices can be used to access ePHI on the cloud. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 places certain restrictions on ePHI accessibility and usage. So, are covered entities allowed to access ePHI on the cloud using a smartphone or other mobile device?
According to the Department of Health and Human Services (HHS), covered entities are allowed to access ePHI on the cloud using a mobile device. The HHS explains that this is perfectly acceptable in regards to HIPAA, assuming the appropriate safeguards are implemented to protect the confidentiality and privacy of ePHI, as well as the use of a Business Associates Agreement (BAA) with the respective cloud service provider with whom the covered entity does business.
HIPAA requires three specific types of safeguards to protect ePHI, including physical, technical and administrative. We've discussed these before, but it's worth mentioning again that physical safeguards consist of tangible measures to prevent data breaches, such as locked doors, video surveillance systems, security systems, security officers, etc. Technical safeguards, on the other hand, are preventive measures that you cannot physically feel, such as encryption, unique user IDs, etc. And administrative safeguards consist of policies and procedures that are intended to protect ePHI from disclosure.
Of course, a BAA is also a necessity when accessing ePHI on the cloud via a mobile device. This document is paramount any time that a covered entity transfers or otherwise allows a third party to access its patients' personal information. Failure to create a BAA is one of the most common HIPAA violations.
To recap, yes you can access ePHI on the cloud using a mobile devices. In order to remain HIPAA-compliant, though, you'll need to ensure the appropriate safeguards are being used (physical, technical and administrative), as well as a BAA.