The game has changed. The stakes are higher. Prior to the advent of the Internet, sensitive data was kept under lock and key, and the only way it could be stolen or misappropriated was with a crowbar or coercion.
In the digital world of 2017, however, criminals can hack into electronic files from across the globe with just a few key strokes and without ever breaking a sweat.
And healthcare is most certainly no exception to the rule.
Today, healthcare plans, providers, or clearinghouses looking to store or transmit patients’ electronic protected health information (ePHI) via the cloud must follow stringent and ever-changing compliance regulations set forth by the Health Insurance Portability and Accountability Act (HIPAA).
Established in 1996, HIPAA governs how sensitive medical information is used and disclosed globally. While the Department of Health and Human Services’ Office of Civil Rights (OCR) does not officially require HIPAA certification for cloud service providers, it recently issued a series of guidelines on the subject in October 2016.
Healthcare entities and physicians covered under HIPAA should consider the following when enlisting a cloud hosting company to handle its sensitive data:
- In order to store or process ePHI in the cloud, cloud service providers and HIPAA-covered agencies or organizations must first enter into a business associate agreement illustrating the CSP’s compliance with all HIPAA regulations and its responsibility for safeguarding the client’s data.
- Additionally, the OCR urges agencies to opt for a provider that offers a Service Level Agreement. These SLAs can address various HIPAA concerns such as system availability/reliability, back-up and data recovery, security responsibility, and the means in which data will be returned to the customer after the contract ends.
- Encryption of data in transit and at rest is considered best practice, with at least two levels of encryption – such as sending encrypted files over an encrypted connection –preferred. Backup data, disk drives, servers should also be encrypted, protecting your agency from:
- HIPAA-related fines, which have historically seen totals in the millions.
- A damaged reputation in the eyes of patients and peer organizations.
- Liability and lawsuits.
- Choosing a cloud service provider who offers the appropriate controls and processes is critical. Look for a vendor that has submitted itself to comprehensive audits verifying the stability of its infrastructure.
GovDataHosting remains one of the only cloud solutions to offer HIPAA cloud compliant hosting exclusively for government customers. Contact us today to discover how we can help you.