Healthcare organizations increasingly utilize cloud-based data centers to handle, house, and organize medical files. Given the information included in these files, these centers would have to work directly with patients’ protected health information (PHI). Therefore, like other business associates of covered entities, they would need to be HIPAA compliant.
Healthcare organizations must investigate their business associates, such as cloud-based service providers, for HIPAA compliance before working with them. Here is a list of known cloud-based data centers to start with.
Related: HIPAA compliant email: The definitive guide
What is a cloud-based data center?
Data centers provide controlled environments that ensure the availability, security, and efficiency of a business’ data and applications. They are needed by different types of industries, such as healthcare, that rely on storing and processing large amounts of data. Data centers let organizations store data securely while scaling their operations and guaranteeing uninterrupted access to critical information.
Cloud-based data centers are third-party (offsite) facilities operated by cloud-based service providers. Given their location on the cloud, such data centers accommodate numerous servers and storage systems. Thus, they could support the scalability and flexibility requirements of accessing and processing large amounts of data.
These data centers would be responsible for data maintenance, systems updates, and, of course, security, just like physical data centers. They would have to safeguard all data that flows through their systems with strong physical and technical security controls.
Learn more: A guide to HIPAA and cloud computing
The cloud and HIPAA compliance
A recent survey by Bitglass suggests that the adoption of the cloud in healthcare still lags behind other industries due to HIPAA legislation. Under HIPAA, any cloud service provider dealing with PHI on behalf of a covered entity would be considered a business associate. These businesses would therefore be held responsible for the security of data in their care. Ultimately, they must be HIPAA compliant.
When healthcare organizations store PHI in the cloud (or any location), the handling of that data must comply with HIPAA. As with physical business associates, cloud service providers have to sign a business associate agreement (BAA) with healthcare organizations. A BAA states the business associate’s responsibilities and holds it liable for related HIPAA violations.
Furthermore, to be HIPAA compliant, a cloud-based data center would need to implement strong technical, physical, and administrative safeguards under the HIPAA Security Rule. Such safeguards would guarantee the confidentiality, integrity, and availability of PHI. In the cloud, these safeguards would involve securing the data and applications they store and run within the cloud.
Here are five known HIPAA compliant cloud-based providers that provide data management:
Amazon Web Services (AWS)
AWS offers a variety of tools and services that help businesses run smoothly. These tools include data management, computing power, storage options, and networking capabilities. Organizations use AWS’ services for cloud hosting, storage and backup, computing power, database services, content delivery and networking, and machine learning and artificial intelligence (AI).
AWS is HIPAA compliant and offers a BAA that includes several data-related services.
Microsoft Azure
Microsoft Azure is a collection of integrated cloud services that developers and IT professionals can use to build, deploy, and manage applications. The range of cloud services available include computing, analytics, storage, and networking.
Microsoft offers a BAA to all customers who are covered entities or business associates under HIPAA. Included with the BAA are several Azure data-related services.
See also: Does Microsoft Azure offer HIPAA compliant web hosting?
Google Cloud Platform (GCP)
GCP is a computing service by Google that offers hosting on the same infrastructure that Google uses internally for consumer products like Google Search and YouTube. Other services include computing, cloud storage, data storage, translations APIs, and prediction APIs. Google provides products to build a range of solutions from simple websites to complex applications.
Google does offer a BAA for GCP and the platform can be used in a HIPAA compliant manner.
See also: Google & HIPAA compliance: The ultimate guide
Box
Box is a cloud-based platform that allows users to store and access data. It offers space for collaboration and workflow automation along with content management and integration. With Box, organizations can centralize content, collaborate in real time, and manage file permissions and security.
The platform will sign a BAA with all healthcare clients who plan to store PHI in the cloud.
Atlantic.net
Atlantic.net is a cloud-hosting provider that offers a range of services, including dedicated servers and cloud computing. Its services are designed to help businesses scale their infrastructure quickly and efficiently.
Atlantic.net will sign a BAA, which is available upon request. The BAA covers the use and disclosure of electronic PHI (ePHI) though providers are responsible for ensuring they use the services compliantly.
The cloud and healthcare data security
Healthcare organizations are responsible for ensuring that their cloud business associates implement effective data security to support cloud activities. Depending on the needs of the provider and the organizations it works with such cybersecurity may include the following cloud-related safeguards.
Access controls: Implement multifactor authentication (MFA) to enhance user identity verification.
Data encryption: Employ encryption for data at rest and in transit so that even if accessed by an unauthorized party, the data remains unreadable.
Regular audits: Conduct regular audits and continuously monitor systems to detect and respond to unusual activities promptly.
Separate data backups: Maintain regular and redundant data backups, classifying and storing data separately, depending on the information and its needs.
Retention policies: Understand and configure data retention policies based on both the provider and the covered entity.
Data controls: Maintain clear visibility and control over where data is stored within the cloud and how.
Finally, as always, organizations must stay on top of changes to HIPAA and other state/federal regulations. The increase in cloud computing demand demonstrates just how far healthcare organizations have recently come. Security must follow the same trajectory and keep PHI secure.
Final thought: The HIPAA compliant cloud services checklist
Kapua Iao
