Cloud Computing Meets HIPAA Omnibus: A Provider Checklist
(Editor's Note: This guest blog was written by Frankie Rios, CISSP, VP information security and compliance, GNAX)
Cloud computing and storage is an undeniable migration path and IT strategy.
Overall spending on cloud technology is expected to reach an estimated $150 billion annually by 2014, according to a recent Gartner Group study. And within healthcare, 35 percent of health IT professionals surveyed said their organization was implementing or maintaining cloud computing in 2012, up from 30 percent in 2011, according to a new survey by Vernon Hills, Ill., technology vendor CDW.
However, not every software application in healthcare is a candidate for moving to the cloud. And many old myths about cloud computing and cloud storage continue to confuse both covered entities (CEs) and business associates (BAs).
The HIPAA omnibus rule, released in January 2013, basically incorporates the HITECH Act security provisions into HIPAA, confirming the security and privacy requirements in the utilization of technology in healthcare. Below are five key changes under the HIPAA Omnibus Rule:
BAs of CEs are now directly liable for compliance of certain privacy and security rules.
The rule strengthens the limitations on the use and disclosure of PHI for marketing and fundraising, and it prohibits the sale of PHI without individual authorization.
It adopts the increased and tiered civil monetary penalty structured by the HITECH Act.
It mandates breach notification for unsecured PHI under the HITECH Act.
It modifies the HIPAA privacy rule as required by the GINA (Genetic Information Nondiscrimination Act), prohibiting health plans from using or disclosing genetic information.
With the increased focus on cloud computing, healthcare organizations should develop a set of criteria that helps evaluate potential cloud vendors and their compliance with these requirements. Here is a list to help healthcare providers get started.
Risk Assessment
In order to protect themselves, CEs should perform a risk analysis on all potential cloud vendors. The risk assessment should include policies, privacy and security awareness training, account management, physical security, business continuity, incident response, and media disposal. Maintain assessment documents and vendor responses for six years and have them readily accessible should Office of Civil Rights auditors come knocking.
Contracts
Review your existing Business Associate Agreements (BAAs) with cloud computing partners and ensure they are updated to comply with HIPAA omnibus. For example, contract language should be specific as to the service, usage, and location of the data to be stored in the cloud.
For cloud-based partners using multi-tenant hardware, specific technical and procedural controls for sequestering information by CE or BA should be stated and included in contracts. An indemnity clause must be included stating that the cloud vendor carries enough insurance to cover a breach.
Audit
Know if the existing or potential cloud vendor has been audited. Do they have a current SSAE report? If there were findings, is there a documented remediation plan? Are regular, internal audits conducted, and is the cloud vendor willing to share the results?
Encryption
Does the vendor provide encryption for the communication of information and the data at rest? Encryption is the best way to protect data and prevent breaches. HITECH requires that communication pathways and data storage devices are encrypted. Ask cloud vendors to define their encryption methodologies for both.
Business Continuity
Business continuity has always been a must have with cloud-based solutions. Some of the new omnibus requirements make it even more important for CEs and BAs. Questions to answer include:
How redundant is the vendor's power?
How many power feeds does the vendor utilize?
How many Internet feeds?
How often do they perform tests of their systems?
Do they keep their equipment sufficiently maintained?
Cloud solutions will keep your PHI private, secure, safe, and in compliance with HIPAA's omnibus rule. Your effective due diligence ensures that they do.