Accessing medical records on-demand, whether a patient is with their primary care provider or walking into a clinic on the opposite coast, is critical to making fully-informed, time-sensitive decisions related to an individual’s health. Insurance providers, health care plans, clearinghouses, and pharmacies similarly rely on up-to-date patient records. With all this data flowing around and being stored in the cloud, what’s keeping electronic protected health information (ePHI) safe?
The Health Insurance Portability and Accountability Act (HIPAA) sets forth stringent and evolving compliance regulations that govern how sensitive medical information is used and disclosed globally. HIPAA guidelines must be followed by:
- Health plans and government programs that pay for health care, like Medicare and Medicaid;
- Most health care providers like doctors and hospitals, but also psychologists, nursing homes, and dentists;
- Health care clearinghouses and any entity that processes health information; and
- Contractors, subcontractors, business associates, or other organizations that may access health information to provide services to the above entities or government agencies.
HIPAA directs organizations to enact safeguards that protect health information and ensure that such information isn’t disclosed improperly. It can be a daunting task, but the penalties for failing to comply are steep and include HIPAA-related fines (which historically have totaled in the millions of dollars), damaged reputation and credibility, lack of trust in the public eye, and extensive liability to lawsuits.
What to Look for in a HIPAA-Compliant Cloud Services Provider (CSP)
To comply with HIPAA regulations and to protect ePHI, many health care entities and government agencies turn to credentialed cloud hosting providers. Selecting the right cloud infrastructure and cloud hosting services provider can have lasting ramifications, so how do you get it right? First, look for a cloud services provider (CSP) that has extensive experience in hosting ePHI and complying with HIPAA regulations. Then, make sure they commit themselves to routine, comprehensive audits verifying infrastructure stability. This will demonstrate the CSP has the appropriate controls and processes in place to manage your data well.
When you enter into a business arrangement, demand a Service Level Agreement that addresses various HIPAA concerns, such as system availability and reliability, back-ups and data recovery, security responsibility, and the means in which data will be returned to you after the contract ends. At every stage of the data lifecycle, both in transit and at rest, ePHI including back-ups, disk drives, and servers should be protected with at least two levels of encryption.
Not sure where to get started? Get in touch with GovDataHosting to discuss our extensive HIPAA experience and hosting options. Our FedRAMP certified cloud services and information assurance solutions can help meet your unique requirements and budget, no matter the size or scale of the project.