How to Be HIPAA Compliant in the Cloud, in Five Steps

The following is a guest post by Gilad Parann-Nissany, Founder and CEO of Porticor.

The Health Insurance Portability and Accountability Act (HIPAA) is the legal framework for keeping private health information – private. HIPAA protects personal health information from being exposed, and in particular – in the IT world – HIPAA defines how Electronic Personal Health Information (EPHI) should be protected. It imposes rules and also penalties.

A central goal for cloud-based health systems should be to achieve “Safe Harbor.” This means that your data is so well protected, even if bad things happen, you can reasonably show that EPHI was not exposed. This is HIPAA nirvana.

Some could say that HIPAA compliance is complex. Spoiler: they would be right. However, as Lao Tzu, founder of Chinese Taoism once said: “The journey of a thousand miles begins with one step.” Or, in our case, five steps.

1.     Investigate
Scope out your system, people and procedures
Start by studying your system architecture and your procedures and deciding where sensitive data resides and which procedures are relevant.

Nowadays, it is very popular to use cloud infrastructure for building out systems – rightly so, given the operational advantages. Cloud systems can be made HIPAA compliant. Start by making sure that all cloud accounts, cloud servers, cloud network segments and cloud storage – that will contain or process sensitive EPHI – are on your list.

Make sure you’ve also considered procedures and even people – they need to be part of your scope. Also consider which people should not see cloud-based EPHI – for example cloud provider employees and other cloud service providers you use.

2.     Analyze Risks
Discover where your Electronic Personal Health Information could get compromised
Go over everything on your list, whether a person, organization or a technical entity, and analyze where they get in contact with EPHI and the degree of risk involved. Document these risks carefully – they are the basis of your HIPAA compliance.

At this point, also consider possible mitigations to risks. Encryption and solid management of cloud encryption keys is one of the most important tools in your toolbox – if you encrypt data properly and keep the keys safe, you may enjoy “safe harbor,” and mitigate many of the penalties and risks of HIPAA.

3.     Define Policies
Establish procedures for security and privacy
HIPAA compliance is not just about doing things well, but also all about properly documenting that you have done them well. Going over your scoping list from step 1, you should identify the policies and procedures for each item, person or organization – that would ensure EPHI never leaks. Another set of documents should define your privacy policies.

Again, this is an important place to consider mitigations. As you go over the list and construct your procedures, pay attention to things that could go wrong. In the real world, something always goes wrong. Build in mitigations so that even if bad things happen – you will still enjoy “safe harbor.”

Ask your cloud service providers for a Business Associate Agreement, which ensures that they too have gone through a similar process – and are responsible for the service they provide you and its implications for HIPAA compliance.

4.     Train your people
Educate your employees and make sure your service providers are trained!
This is an obvious point, yet one of the most important ones. Trained staff make all the difference.

And yes, as always in HIPAA, it is not enough to train the staff, but also document the training. Require these proofs also from your service providers.

5.     Prepare for a breach
Be ready in case disaster strikes
Bad stuff happens. How will you deal with it? You need to plan this ahead of time, and – as always – also document your planning.

Our entire approach is based on achieving “safe harbor” – when you go through your “bad stuff” checklist, think carefully how each point can be mitigated. Often solid encryption will help, and one of the first things you want to check in the event of a breach – was the data encrypted and the keys kept safe? Make this part of your procedures.

HIPAA compliance in the cloud is within reach
By taking the right approach, thinking carefully through safe harbor possibilities, and covering the entire scope of your project – you can achieve proper HIPAA compliance and protect patient privacy. This is also a major competitive advantage for your business.

About the Author
Gilad Parann-Nissany, Founder and CEO of Porticor, is a cloud computing pioneer. Porticor infuses trust into the cloud with secure, easy to use, and scalable solutions for data encryption and key management. Porticor enables companies of all sizes to safeguard their data, comply with regulatory standards like PCI DSS, and streamline operations.

About the author

John Lynn

John Lynn

John Lynn is the Founder of the HealthcareScene.com, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference, EXPO.health, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.

4 Comments

  • Wow it only takes five steps…wait…what?
    Each of those steps has multiple steps?

    This could have easily been “How to…in One Step”

    That step would be: operate in a HIPAA compliant manner.
    Simple, see?

    Whether on a cloud based EHR or in-house server EHR, these steps are what any covered entity should be following.

    A major step not mentioned, which is specifically for cloud based EHRs, is to ensure you have redundant access to the internet.

    Most cloud based EHRs suggest this, and most docs ignore it.
    There are multiple cost-effective ways to accomplish this, but the point is, you need to have this backup source of internet access or it will be very painful (and embarrassing) when your primary source goes down.

  • Great article John! One other item worth noting in the training section is that all of the training done for HIPAA compliance needs to be documented as well. It’s not good enough to give (or have a vendor) give a “lunch and learn” type of presentation and call it training – there needs to be proof. It not only needs to be documented but should be done annually.

  • Point number 3 is particularly important. Having defined, clear policies are crucial for understanding and for 100% compliance.

    For any of you who conduct online surveys and need to remain HIPAA-compliant, online survey platform, SurveyMonkey, now offers healthcare professionals the ability to run surveys that are completely HIPAA-compliant under the latest guidelines.

    If you’re interested, more info here from their blog: http://blog.surveymonkey.com/blog/2013/09/10/hipaa-compliant/

Click here to post a comment
   

Categories