Home Compliance StandardsHIPAA / Healthcare Industry Maintain HIPAA Compliant Cloud Storage in 2023
HIPAA / Healthcare Industry

Maintain HIPAA Compliant Cloud Storage in 2023

by RSI Security
written by RSI Security
computer

Healthcare providers are some of the main beneficiaries of IT advancements, and the advantages of cloud technologies are no exception. Cloud storage facilitates rapid access to patient data in healthcare settings to help guide medical evaluations and treatment decisions. However, the Health Insurance Portability and Accountability Act of 1996 strictly regulates the use and disclosure of protected health information (PHI), and cloud storage can potentially compromise compliance. So, how do you maintain HIPAA-compliant cloud storage?

 

HIPAA-Compliant Cloud Storage

When PHI is stored electronically (ePHI), cybersecurity measures must be implemented for HIPAA compliance that may seem opposed to the access benefits achieved with cloud storage. However, healthcare entities and organizations that must maintain compliance can still leverage cloud access if done so properly.

Implementing HIPAA-compliant cloud storage depends on an understanding of:

  • PHI and electronic PHI
  • Entities subject to HIPAA
  • HIPAA Regulations
  • Cloud storage uses and capabilities

Developing and maintaining HIPAA-compliant cloud computing architecture and storage access policies presents healthcare IT security teams with significant challenges. Partnering with a cybersecurity and compliance expert can help simplify cloud usage that adheres to regulations.

Download Our Complete Guide to Navigating Healthcare Compliance Whitepaper

PHI and ePHI

Protected health information (PHI) and its digital counterpart (ePHI) comprise individuals’ personal data utilized within healthcare settings. HIPAA covers 18 categories—termed “identifiers”—of personally identifiable information (PII) that are regarded as PHI:

  1. Names
  2. Residence location (or specific geographic information)
  3. Important dates (e.g., date of birth, treatment dates)
  4. Telephone numbers
  5. Fax numbers
  6. Email addresses
  7. Social Security number (SSN)
  8. Medical record numbers or identifiers
  9. Health plan beneficiary numbers or identifiers
  10. Account numbers (e.g., credit card data)
  11. ID or license numbers
  12. Vehicle identifiers (e.g., license plates, vehicle identification number (VIN))
  13. Device identifiers and serial numbers
  14. Website URLs
  15. IP addresses
  16. Biometric data (e.g., fingerprints)
  17. Full-face photographic (or comparable) imagery
  18. Other unique numbers, characteristics, or codes that may be used to identify the individual

Any data that may be categorized according to these 18 identifiers and is stored in the cloud must be interacted with via HIPAA-compliant processes.

 

Request a Free Consultation

 

Broader HHS Definition of PHI

More broadly, HHS defines PHI as any data that may identify an individual—including demographic data and regardless of any temporal relation to the individual or provided healthcare. This definition covers:

  • Physical or mental health or conditions
  • The care provided to a patient
  • Payment data for received healthcare services

 planning

Who is Subject to HIPAA Compliance?

HIPAA regulations and guidance utilize specific terminology when referring to the various organizations subject to compliance:

  • Covered entities – Generally comprise healthcare entities that collect, store, or interact with PHI, including:
    • Healthcare providers
    • Health plans or insurance providers
    • Healthcare clearinghouses
  • Business associates – Any organization that collects, stores, or interacts with PHI as a result of its services provided to covered entities, including:
    • Claims processing
    • General IT or cybersecurity service delivery
    • Data analysis
    • Utilization review
    • Medical billing
    • Business associates’ third-party contractors

HIPAA regulations pertaining to cloud storage implementations mostly affect covered entities and IT or cybersecurity service providers. However, any organization that stores PHI in a cloud environment or interacts with it via cloud computing must follow the same regulatory adherence.

 

HIPAA Regulations

HIPAA constitutes one of the more stringent and broadly applicable compliance standards and spans numerous “rule” publications issued by the US Department of Health and Human Services (HHS). HIPAA enforcement falls under HHS’ Office for Civil Rights (OCR).

By regulating the use and disclosure of patients’ PHI, HIPAA affects virtually all aspects of healthcare.

Note that, unlike many other compliance frameworks, HIPAA does not stipulate specific cybersecurity or other IT implementations. Instead, HIPAA focuses on the results (i.e., proper, confidential use and disclosures).

 

HIPAA Rules Relevant to Cloud Storage

The HIPAA regulations relevant to cloud storage are:

  • Privacy Rule – The Privacy Rule establishes the overarching restrictions on and permitted uses and disclosures of PHI, which informs the cybersecurity and technical specifications contained in other rules for covered entities must follow.
  • Security Rule – The Security Rule outlines the administrative, technical, and physical safeguards that covered entities must implement to protect PHI. With regard to cloud storage, the Security Rule requires that covered entities:
    • Protect PHI’s confidentiality, integrity, and availability—regardless of which individual or entities created, transmitted, or stored the data
    • Determine and protect against “reasonably anticipated threats” to PHI
    • Prevent “reasonably anticipated, impermissible uses and disclosures”
    • Maintain their employee’s HIPAA compliance
  • Breach Notification Rule – Under HIPAA, a “data breach” does not constitute a compromised cybersecurity architecture but, rather, any use or disclosure not permitted by the regulation. Data breach reporting depends on the number of individuals affected:
    • Less than 500 individuals – Report to the Secretary of HHS within 60 days of the end of the calendar year.
    • 500 or more individuals – Covered entities must report to the Secretary of HHS within 60 days, notify affected individuals, and notify a media outlet within local geographic proximity to the affected individuals.

 computer

Cloud Storage and HIPAA Compliance

As HIPAA doesn’t stipulate specific technology implementations, adopting cloud storage doesn’t inherently create compliance violations. Cloud usage remains compliant if processes and user access adhere to the permitted, confidential uses and disclosures governing PHI protections.

According to the Security Rule, HIPAA-compliant storage must enforce:

  • Access Controls – Authorized individuals must be the only personnel provisioned with access to ePHI regardless of its storage location. Personnel should generally have their access restricted according to the “principle of least privilege,” or strictly what is necessary to perform job responsibilities—no more, no less.
  • Audit Controls – Covered entities must record user activity related to ePHI in audit logs for auditory review and assessment. Audit controls may comprise hardware, software, or procedural mechanisms.
  • Integrity Controls – ePHI must not be altered or destroyed improperly, with technical safeguards to both prevent this from occurring and verify that it hasn’t.
  • Transmission Security – Any ePHI transmitted over electronic networks (e.g., cloud access, between covered entities) must be sufficiently protected via technical safeguards (e.g., encryption).

So long as cloud access and use adhere to these restrictions, your organization will maintain HIPAA-compliant file storage.

 

Business Associate Agreements (BAA) and Cloud Storage

If a covered entity (or business associate) hosts ePHI in a fully secured private cloud environment, their standard HIPAA adherence efforts may be sufficient for compliant cloud storage.

However, if a covered entity partners with a cloud services provider to remotely host ePHI on off-site servers, both parties must create and sign a Business Associate Agreement (BAA). A BAA is a contractual agreement that stipulates the appropriate technical, administrative, and security safeguards enacted to protect ePHI, extending to state the limited, permissible uses and disclosures of the data.

Should a business associate suffer a data breach (as defined by HIPAA), they must notify their covered entity partner within 60 days.

 

HIPAA and the HITRUST CSF

The HITRUST Common Security Framework (CSF) was initially established to simplify HIPAA compliance. Though the CSF has been expanded to include numerous other frameworks via comprehensive mapping, its implementation will significantly help ensure HIPAA compliance—including HIPAA-compliant cloud storage.

RSI Security is a HITRUST expert and can facilitate your organization’s implementation and certification assessment.

 

Implementing HIPAA-Compliant Cloud Storage

HIPAA compliance quickly becomes a nebulous challenge for covered entities and their business associates. Since HIPAA does not outline explicit technical specifications to allow for organization diversity and scaling, the process of determining the appropriate solutions to implement and services to use is left to entities themselves. As a result, many organizations have turned to the HITRUST CSF for explicit technical guidance.

As a HIPAA and HITRUST compliance expert and cybersecurity services provider, partnering with RSI Security will help ensure your organization’s regulatory adherence.

To get started on implementing HIPAA-compliant cloud storage or other compliance efforts, contact RSI Security today.

 

Request a Free Consultation

 

0 comment
0
FacebookTwitterGoogle +LinkedinEmail

RSI Security is the nation’s premier cybersecurity and compliance provider dedicated to helping organizations achieve risk-management success. We work with some of the world’s leading companies, institution and governments to ensure the safety of their information and their compliance with applicable regulation. We also are a security and compliance software ISV and stay at the forefront of innovative tools to save assessment time, increase compliance and provide additional safeguard assurance. With a unique blend of software based automation and managed services, RSI Security can assist all sizes of organizations in managing IT governance, risk management and compliance efforts (GRC). RSI Security is an Approved Scanning Vendor (ASV) and Qualified Security Assessor (QSA).

You may also like

How to Conduct a HIPAA Data Breach Analysis

October 5, 2021

What Is Considered a Breach of HIPAA?

November 14, 2019

How to Tell if Your Organization is a...

May 31, 2023

Top Healthcare Risk Assessment Tools

July 12, 2021

The Five-Step Process to HITRUST Healthcare Auditing

February 17, 2022

What Your HR Team Needs to Know About...

December 9, 2019

HIPAA Violation Reporting 101

October 21, 2022

Main Causes of Security Breaches in the Healthcare...

October 25, 2019

Guide to HIPAA Notice of Privacy Practices Requirements

April 12, 2022

Does HITECH Affect HIPAA?

August 22, 2019

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.

This website uses cookies to improve your experience. If you have any questions about our policy, we invite you to read more. Accept Read More