There is a lot of uncertainty regarding the right cloud hosting provider for hosting ePHI (electronic Protected Health Information).
ePHI is the personal medical information of individuals in electronic form. Since it can lead to the identification of the person the information is considered highly confidential and protected under the HIPAA rules. The institutions that deal with PHI are called covered entities and business associates.
The covered entities or business associates sometimes require the services of a cloud hosting provider to store, manage, create or transmit the Protected Health Information. In such cases, the cloud services provider is also considered as a business associate and the rules applicable to a business associate as per the HIPAA laws applies to the cloud provider as well.
Therefore, while choosing a cloud provider, it is essential to analyze whether it is capable to function as per the HIPAA laws. Moreover, there are specific parameters, aside from HIPAA regulations, that you would want in a competent cloud hosting provider.
Let us have a look at some of the aspects that would help you choose the right cloud hosting provider for your health-related processes.
1. Business Associate Agreement (BAA)
Business Associate Agreement is an agreement between a covered entity and a business associate. The business associate or covered entity are expected to sign an agreement with the cloud hosting provider if they invest in hosting services. It is because in that case the hosting provider is considered as a business associate under HIPAA rules.
The BAA comprises all the points pertaining to the disclosure or use of the ePHI (electronic Protected Health Information). It establishes the security standards the covered entity or business associate expects from the cloud services provider.
Let us have a look at some main elements of a Business Associate Agreement.
- BAA defines the limitations regarding the usage of Protected Health Information by the business associate.
- BAA specifies the conditions under which the business associate might disclose the Protected Health Information.
- It specifies all the security safeguards that the business associate is expected to deploy in order to protect the ePHI.
- If asked by the US Department of Health and Human Services (HHS), the business associate must provide its records and books. It is asked for the review of a covered entity for HIPAA compliance.
- If the business associate deploys another subcontractor on its behalf, the same agreement will apply to the subcontractor as well.
- If the contract is terminated, the business associate should return or destroy the data as specified by the covered entity.
- The covered entity is entitled to terminate the contract if the business associate violates the contract in any way.
The cloud hosting provider that receives, manages, stores, or creates the ePHI is contractually liable to adhere to all the HIPAA rules associated with a Business Associate. While considering a cloud service provider ensure that the provider can fulfill all the terms of the agreement.
2. Service Level Agreement (SLA)
SLA is an agreement between the cloud services provider and the customer. Unlike the Business Associate Agreement, this agreement specifies the level of service and features that the cloud provider is offering to the customer.
Although BAA ensures that the business associate complies with the HIPAA regulations, it does not involve the operational aspects of the service provider. SLA specifies the aspects, such as disaster recovery, uptime and response time among others.
A Disaster Recovery Plan guarantees that the data is safe even in the event of a disaster. The cloud provider should guarantee an Uptime which specifies the duration of time your system will be functional in a year. For instance, some cloud providers offer you a minimum uptime of 99.99% which means that your process is down only five minutes in a year.
While hosting confidential information such as PHI, you must make sure that the data is secure from any system failures. BAA covers the aspects of security practices and safeguards but not the infrastructure-related aspects. While choosing a provider, always go through the SLA provided by the cloud hosting provider. It tells you whether the provider is capable of hosting sensitive information such as ePHI.
3. Security Practices
The HIPAA Security Rule specifies that the cloud hosting provider should deploy various safeguards to ensure the protection of ePHI. These include administrative, physical and technical safeguards. However, these safeguards are subject to the protection of data from any unauthorized entity.
There are some other factors that could corrupt the PHI data stored on the cloud so that it cannot be recovered. Some examples are the malware attacks. There are other forms of attacks such as DDoS attacks that result in shutting down the process altogether. The cloud service provider should also be well-equipped to prevent and mitigate these attacks.
Here are some of the standard security practices that the cloud hosting provider is expected to follow.
- Data monitoring and analysis
- Hardware and software firewalls
- Intrusion Detection and Protection System
- Multi-factor authentication
- 256-bit Data Encryption
The infrastructure of the data center in which the data is being hosted should also offer a secure environment. You can look for Tier-3 or Tier-4 data centers. Certain certifications such as SSAE-16 even acknowledge the competency of the data center.
Support is a vital factor when it comes to HIPAA compliant hosting. Let us assume there is a change in the staff roles and you need to edit the access permissions to the data in the cloud. It may require revoking access for some users and allowing access to others. What do you do? All you have to do is call the cloud provider, and their support team will take care of the issue.
Most renowned cloud hosting providers offer a 24*7*365 support. They also have an efficient ticketing system to segregate the issues no the basis of priority. As the online portal, software or application hosted on the cloud contains vital information about the patients, it is of paramount importance to continually monitor and resolve any issues with them.
5. Data Center Location
HIPAA Rules do not enforce any restrictions on covered entities or business associates for the location of the data center used to store ePHI. The ePHI can be hosted by the cloud hosting provider on any geographic location given that the covered entities and the business associates follow the HIPAA rules. They are also expected to have a BAA (Business Associate Agreement) with the cloud hosting provider.
However, the OCR (Office of Civil Rights) mentions that there is a risk factor when it comes to hosting in data centers other than the United States. While choosing a cloud hosting provider, prefer the ones with data centers in the US. It is because some countries do not enforce laws related to data privacy. As a result, these countries are subject to data breaches and malware attacks.
Choose Your HIPAA Compliant Cloud Provider Wisely!
The HIPAA rules bind all the covered entities and business associate. If you fall under these categories and want to host your services on a cloud provider, the cloud provider is also expected to follow the HIPAA regulations. You can make sure that the BAA comprises all the clauses regarding the responsibilities of the cloud provider to adhere to HIPAA rules. The SLA should also be read carefully before you decide on choosing the cloud provider.
Robust security practices and infrastructure is a must. You want your PHI to be secure from external attacks as well as internal system failures. Also, the data center is preferred to be in the United States itself.
Make sure the cloud services provider is well-informed about the HIPAA rules and capable of hosting your services as non-compliance of HIPAA lead to heavy penalties.