Maintain HIPAA Compliant Cloud Storage in 2023

Healthcare providers are among the greatest beneficiaries of modern IT advancements, and cloud technologies are no exception. HIPAA-compliant cloud storage allows for fast, secure access to patient data, enabling timely medical evaluations and treatment decisions. However, under the Health Insurance Portability and Accountability Act (HIPAA), the use and storage of protected health information (PHI) must follow strict security and privacy rules. Without the right safeguards in place, cloud storage can expose organizations to compliance risks. So, how can healthcare organizations maintain HIPAA-compliant cloud storage effectively?

HIPAA-Compliant Cloud Storage

When PHI is stored electronically (ePHI), cybersecurity measures must be implemented for HIPAA compliance that may seem opposed to the access benefits achieved with cloud storage. However, healthcare entities and organizations that must maintain compliance can still leverage cloud access if done so properly.

Implementing HIPAA-compliant cloud storage depends on an understanding of:

• PHI and electronic PHI
• Entities subject to HIPAA
• HIPAA Regulations
• Cloud storage uses and capabilities

Developing and maintaining HIPAA-compliant cloud computing architecture and storage access policies presents healthcare IT security teams with significant challenges. Partnering with a cybersecurity and compliance expert can help simplify cloud usage that adheres to regulations.

PHI and ePHI

Protected health information (PHI) and its digital counterpart (ePHI) comprise individuals’ personal data utilized within healthcare settings. HIPAA covers 18 categories—termed “identifiers”—of personally identifiable information (PII) that are regarded as PHI:

1. Names
2. Residence location (or specific geographic information)
3. Important dates (e.g., date of birth, treatment dates)
4. Telephone numbers
5. Fax numbers
6. Email addresses
7. Social Security number (SSN)
8. Medical record numbers or identifiers
9. Health plan beneficiary numbers or identifiers
10. Account numbers (e.g., credit card data)
11. ID or license numbers
12. Vehicle identifiers (e.g., license plates, vehicle identification number (VIN))
13. Device identifiers and serial numbers
14. Website URLs
15. IP addresses
16. Biometric data (e.g., fingerprints)
17. Full-face photographic (or comparable) imagery
18. Other unique numbers, characteristics, or codes that may be used to identify the individual

Any data that may be categorized according to these 18 identifiers and is stored in the cloud must be interacted with via HIPAA-compliant processes.

Request a Free Consultation

Broader HHS Definition of PHI

More broadly, HHS defines PHI as any data that may identify an individual—including demographic data and regardless of any temporal relation to the individual or provided healthcare. This definition covers:

• Physical or mental health or conditions
• The care provided to a patient
• Payment data for received healthcare services

 

Who is Subject to HIPAA Compliance?

HIPAA regulations and guidance utilize specific terminology when referring to the various organizations subject to compliance:

• Covered entities – Generally comprise healthcare entities that collect, store, or interact with PHI, including:
  • Healthcare providers
  • Health plans or insurance providers
  • Healthcare clearinghouses
• Business associates – Any organization that collects, stores, or interacts with PHI as a result of its services provided to covered entities, including:
  • Claims processing
  • General IT or cybersecurity service delivery
  • Data analysis
  • Utilization review
  • Medical billing
  • Business associates’ third-party contractors

HIPAA regulations pertaining to cloud storage implementations mostly affect covered entities and IT or cybersecurity service providers. However, any organization that stores PHI in a cloud environment or interacts with it via cloud computing must follow the same regulatory adherence.

HIPAA Regulations

HIPAA constitutes one of the more stringent and broadly applicable compliance standards and spans numerous “rule” publications issued by the US Department of Health and Human Services (HHS). HIPAA enforcement falls under HHS’ Office for Civil Rights (OCR).

By regulating the use and disclosure of patients’ PHI, HIPAA affects virtually all aspects of healthcare.

Note that, unlike many other compliance frameworks, HIPAA does not stipulate specific cybersecurity or other IT implementations. Instead, HIPAA focuses on the results (i.e., proper, confidential use and disclosures).

HIPAA Rules Relevant to Cloud Storage

The HIPAA regulations relevant to cloud storage are:

• Privacy Rule – The Privacy Rule establishes the overarching restrictions on and permitted uses and disclosures of PHI, which informs the cybersecurity and technical specifications contained in other rules for covered entities must follow.
• Security Rule – The Security Rule outlines the administrative, technical, and physical safeguards that covered entities must implement to protect PHI. With regard to cloud storage, the Security Rule requires that covered entities:
  • Protect PHI’s confidentiality, integrity, and availability—regardless of which individual or entities created, transmitted, or stored the data
  • Determine and protect against “reasonably anticipated threats” to PHI
  • Prevent “reasonably anticipated, impermissible uses and disclosures”
  • Maintain their employee’s HIPAA compliance
• Breach Notification Rule – Under HIPAA, a “data breach” does not constitute a compromised cybersecurity architecture but, rather, any use or disclosure not permitted by the regulation. Data breach reporting depends on the number of individuals affected:
  • Less than 500 individuals – Report to the Secretary of HHS within 60 days of the end of the calendar year.
  • 500 or more individuals – Covered entities must report to the Secretary of HHS within 60 days, notify affected individuals, and notify a media outlet within local geographic proximity to the affected individuals.

 

Cloud Storage and HIPAA Compliance

As HIPAA doesn’t stipulate specific technology implementations, adopting cloud storage doesn’t inherently create compliance violations. Cloud usage remains compliant if processes and user access adhere to the permitted, confidential uses and disclosures governing PHI protections.

According to the Security Rule, HIPAA-compliant storage must enforce:

• Access Controls – Authorized individuals must be the only personnel provisioned with access to ePHI regardless of its storage location. Personnel should generally have their access restricted according to the “principle of least privilege,” or strictly what is necessary to perform job responsibilities—no more, no less.
• Audit Controls – Covered entities must record user activity related to ePHI in audit logs for auditory review and assessment. Audit controls may comprise hardware, software, or procedural mechanisms.
• Integrity Controls – ePHI must not be altered or destroyed improperly, with technical safeguards to both prevent this from occurring and verify that it hasn’t.
• Transmission Security – Any ePHI transmitted over electronic networks (e.g., cloud access, between covered entities) must be sufficiently protected via technical safeguards (e.g., encryption).

So long as cloud access and use adhere to these restrictions, your organization will maintain HIPAA-compliant file storage.

Business Associate Agreements (BAA) and Cloud Storage

If a covered entity (or business associate) hosts ePHI in a fully secured private cloud environment, their standard HIPAA adherence efforts may be sufficient for compliant cloud storage.

However, if a covered entity partners with a cloud services provider to remotely host ePHI on off-site servers, both parties must create and sign a Business Associate Agreement (BAA). A BAA is a contractual agreement that stipulates the appropriate technical, administrative, and security safeguards enacted to protect ePHI, extending to state the limited, permissible uses and disclosures of the data.

Should a business associate suffer a data breach (as defined by HIPAA), they must notify their covered entity partner within 60 days.

HIPAA and the HITRUST CSF

The HITRUST Common Security Framework (CSF) was initially established to simplify HIPAA compliance. Though the CSF has been expanded to include numerous other frameworks via comprehensive mapping, its implementation will significantly help ensure HIPAA compliance—including HIPAA-compliant cloud storage.

RSI Security is a HITRUST expert and can facilitate your organization’s implementation and certification assessment.

Implementing HIPAA-Compliant Cloud Storage

Maintaining HIPAA-compliant cloud storage can be complex, especially since HIPAA does not prescribe specific technical solutions. Instead, covered entities and business associates must identify security measures that align with their unique size, operations, and risks. To bridge this gap, many organizations look to the HITRUST CSF framework for detailed technical guidance.

RSI Security is a trusted HIPAA and HITRUST compliance partner with decades of experience helping healthcare organizations safeguard PHI. From risk assessments to technical implementation and long-term monitoring, our experts ensure your cloud storage environment meets all regulatory requirements.

To get started on implementing HIPAA-compliant cloud storage or other compliance efforts, contact RSI Security today.

Download Our HIPAA Compliance Checklist