Get Your Patient Data in the Cloud….Before It’s Too Late
Use of the cloud is exploding. Healthcare organizations and their associates are joining the fray. But there are a lot of questions. Is it the right move or should I keep the status quo? Where will my data be? Is it safe? All of this uncertainty has led to the Department of Health and Human Services ("DHS") to issue guidance on the use of the cloud.
HIPAA mandates protection for Protected Health Information ("PHI") when used by either a Covered Entity ("CE") or a Business Associate ("BA"). Under HIPPA, CE's are defined as health plans, health care clearinghouses, and health care providers. BA's are persons or entities that perform functions or activities for CE's that involve the use of PHI.
When either a CE or a BA decides to place PHI in a cloud, the Cloud Provider becomes a BA under HIPAA. As a result, the Cloud Provider must enter into a HIPAA-compliant BA Agreement ("BAA") with the contracting party and is responsible for maintaining the privacy of the PHI as stipulated by HIPAA.
Open the pod bay doors, HAL.....
Many organizations are worried about opening their doors and shipping their data out to the cloud. Years of thoughtful planning and safeguards that have been carefully and painstakingly implemented should now be abandoned in favor of defenses that are not directly controlled. But, there is help out there. Organizations such as the NIST Cloud Computing Security Working Group ("NCC-SWG") have been created in an effort to facilitate adoption of secure cloud services.
Traditional security systems have to deal with a mix of technologies, some internally built, others from diverse vendors. They have been implemented with different standards and to achieve diverse goals. Additionally the full cost of providing security is often spread across multiple areas and cost centers. The mixture of varied types of systems using different technologies may end up providing more gaps for hackers to exploit. Is this more secure than the cloud?????
A Change Would Do You Good
Cloud Providers have to worry about PHI even if the data is encrypted, and even if they don't have the encryption key for the data. Lacking an encryption key does not exempt a Cloud Provider from BA status and obligations under the HIPAA Rules. DHS guidance indicates that encryption is just a piece of an overall protection scheme. The HIPAA mandate to protect PHI compels BAs and CEs to look for Cloud Providers with multiple layers of operational and physical security. They also want services that make key management and encryption of PHI easy to manage.
Cloud Providers have security as job 1. Without it they are out of business and they are getting very good at it. Recently the CIO of Homeland Security Department, Luke McCormack and the CIO of the CIA, John Edwards indicated that with constant budget and time constraints they have found security value from cloud services sold by private sector Cloud Providers.
Get out of Jail ...Free
One option that relieves a Cloud Provider of both responsibilities and liabilities of storing PHI is to fully de-identify the PHI prior provisioning the data to the cloud. According to the DHS guidance, when the Cloud Provider receives de-identified data, it is NOT considered a BA. HIPAA does not restrict the use or disclosure of de-identified information as the information is not considered PHI.
So organizations can take a relatively risk free first step into the cloud by finding their PHI on their databases and they de-identifying it prior to sending it to their Cloud Provider. One small step for a CIO, but one giant leap for an organization.