Healthcare providers are some of the main beneficiaries of IT advancements, and the advantages of cloud technologies are no exception. Cloud storage facilitates rapid access to patient data in healthcare settings to help guide medical evaluations and treatment decisions. However, the Health Insurance Portability and Accountability Act of 1996 strictly regulates the use and disclosure of protected health information (PHI), and cloud storage can potentially compromise compliance. So, how do you maintain HIPAA-compliant cloud storage?
HIPAA-Compliant Cloud Storage
When PHI is stored electronically (ePHI), cybersecurity measures must be implemented for HIPAA compliance that may seem opposed to the access benefits achieved with cloud storage. However, healthcare entities and organizations that must maintain compliance can still leverage cloud access if done so properly.
Implementing HIPAA-compliant cloud storage depends on an understanding of:
- PHI and electronic PHI
- Entities subject to HIPAA
- HIPAA Regulations
- Cloud storage uses and capabilities
Developing and maintaining HIPAA-compliant cloud computing architecture and storage access policies presents healthcare IT security teams with significant challenges. Partnering with a cybersecurity and compliance expert can help simplify cloud usage that adheres to regulations.
Download Our Complete Guide to Navigating Healthcare Compliance Whitepaper
PHI and ePHI
Protected health information (PHI) and its digital counterpart (ePHI) comprise individuals’ personal data utilized within healthcare settings. HIPAA covers 18 categories—termed “identifiers”—of personally identifiable information (PII) that are regarded as PHI:
- Residence location (or specific geographic information)
- Important dates (e.g., date of birth, treatment dates)
- Telephone numbers
- Fax numbers
- Email addresses
- Social Security number (SSN)
- Medical record numbers or identifiers
- Health plan beneficiary numbers or identifiers
- Account numbers (e.g., credit card data)
- ID or license numbers
- Vehicle identifiers (e.g., license plates, vehicle identification number (VIN))
- Device identifiers and serial numbers
- Website URLs
- IP addresses
- Biometric data (e.g., fingerprints)
- Full-face photographic (or comparable) imagery
- Other unique numbers, characteristics, or codes that may be used to identify the individual
Any data that may be categorized according to these 18 identifiers and is stored in the cloud must be interacted with via HIPAA-compliant processes.
Broader HHS Definition of PHI
More broadly, HHS defines PHI as any data that may identify an individual—including demographic data and regardless of any temporal relation to the individual or provided healthcare. This definition covers:
- Physical or mental health or conditions
- The care provided to a patient
- Payment data for received healthcare services
Who is Subject to HIPAA Compliance?
HIPAA regulations and guidance utilize specific terminology when referring to the various organizations subject to compliance:
- Covered entities – Generally comprise healthcare entities that collect, store, or interact with PHI, including:
- Healthcare providers
- Health plans or insurance providers
- Healthcare clearinghouses
- Business associates – Any organization that collects, stores, or interacts with PHI as a result of its services provided to covered entities, including:
- Claims processing
- General IT or cybersecurity service delivery
- Data analysis
- Utilization review
- Medical billing
- Business associates’ third-party contractors
HIPAA regulations pertaining to cloud storage implementations mostly affect covered entities and IT or cybersecurity service providers. However, any organization that stores PHI in a cloud environment or interacts with it via cloud computing must follow the same regulatory adherence.
HIPAA constitutes one of the more stringent and broadly applicable compliance standards and spans numerous “rule” publications issued by the US Department of Health and Human Services (HHS). HIPAA enforcement falls under HHS’ Office for Civil Rights (OCR).
By regulating the use and disclosure of patients’ PHI, HIPAA affects virtually all aspects of healthcare.
Note that, unlike many other compliance frameworks, HIPAA does not stipulate specific cybersecurity or other IT implementations. Instead, HIPAA focuses on the results (i.e., proper, confidential use and disclosures).
HIPAA Rules Relevant to Cloud Storage
The HIPAA regulations relevant to cloud storage are:
- Privacy Rule – The Privacy Rule establishes the overarching restrictions on and permitted uses and disclosures of PHI, which informs the cybersecurity and technical specifications contained in other rules for covered entities must follow.
- Security Rule – The Security Rule outlines the administrative, technical, and physical safeguards that covered entities must implement to protect PHI. With regard to cloud storage, the Security Rule requires that covered entities:
- Protect PHI’s confidentiality, integrity, and availability—regardless of which individual or entities created, transmitted, or stored the data
- Determine and protect against “reasonably anticipated threats” to PHI
- Prevent “reasonably anticipated, impermissible uses and disclosures”
- Maintain their employee’s HIPAA compliance
- Breach Notification Rule – Under HIPAA, a “data breach” does not constitute a compromised cybersecurity architecture but, rather, any use or disclosure not permitted by the regulation. Data breach reporting depends on the number of individuals affected:
- Less than 500 individuals – Report to the Secretary of HHS within 60 days of the end of the calendar year.
- 500 or more individuals – Covered entities must report to the Secretary of HHS within 60 days, notify affected individuals, and notify a media outlet within local geographic proximity to the affected individuals.
Cloud Storage and HIPAA Compliance
As HIPAA doesn’t stipulate specific technology implementations, adopting cloud storage doesn’t inherently create compliance violations. Cloud usage remains compliant if processes and user access adhere to the permitted, confidential uses and disclosures governing PHI protections.
According to the Security Rule, HIPAA-compliant storage must enforce:
- Access Controls – Authorized individuals must be the only personnel provisioned with access to ePHI regardless of its storage location. Personnel should generally have their access restricted according to the “principle of least privilege,” or strictly what is necessary to perform job responsibilities—no more, no less.
- Audit Controls – Covered entities must record user activity related to ePHI in audit logs for auditory review and assessment. Audit controls may comprise hardware, software, or procedural mechanisms.
- Integrity Controls – ePHI must not be altered or destroyed improperly, with technical safeguards to both prevent this from occurring and verify that it hasn’t.
- Transmission Security – Any ePHI transmitted over electronic networks (e.g., cloud access, between covered entities) must be sufficiently protected via technical safeguards (e.g., encryption).
So long as cloud access and use adhere to these restrictions, your organization will maintain HIPAA-compliant file storage.
Business Associate Agreements (BAA) and Cloud Storage
If a covered entity (or business associate) hosts ePHI in a fully secured private cloud environment, their standard HIPAA adherence efforts may be sufficient for compliant cloud storage.
However, if a covered entity partners with a cloud services provider to remotely host ePHI on off-site servers, both parties must create and sign a Business Associate Agreement (BAA). A BAA is a contractual agreement that stipulates the appropriate technical, administrative, and security safeguards enacted to protect ePHI, extending to state the limited, permissible uses and disclosures of the data.
Should a business associate suffer a data breach (as defined by HIPAA), they must notify their covered entity partner within 60 days.
HIPAA and the HITRUST CSF
The HITRUST Common Security Framework (CSF) was initially established to simplify HIPAA compliance. Though the CSF has been expanded to include numerous other frameworks via comprehensive mapping, its implementation will significantly help ensure HIPAA compliance—including HIPAA-compliant cloud storage.
RSI Security is a HITRUST expert and can facilitate your organization’s implementation and certification assessment.
Implementing HIPAA-Compliant Cloud Storage
HIPAA compliance quickly becomes a nebulous challenge for covered entities and their business associates. Since HIPAA does not outline explicit technical specifications to allow for organization diversity and scaling, the process of determining the appropriate solutions to implement and services to use is left to entities themselves. As a result, many organizations have turned to the HITRUST CSF for explicit technical guidance.
To get started on implementing HIPAA-compliant cloud storage or other compliance efforts, contact RSI Security today.