Why Being HIPAA Compliant Is Important for Major Cloud Services
The healthcare industry is coming into the digital age. Yes, that often means being dragged kicking and screaming, but it’s coming, nonetheless. In the U.S., that means following the guidelines for protecting patient information laid out in the Health Insurance Portability and Accountability Act or HIPAA, for short.
Today’s HIPAA guidelines ensure that confidential patient information is stored electronically and in a manner that’s secure. That’s a good thing. These guidelines don’t just cover healthcare professionals, either, but hospital consultants, insurance companies and service providers that work with certain patient data, too.
That includes many of the best EFSS and best online backup providers reviewed by CommQueR.com. With the money tied to the healthcare industry, which now accounts for 17.8 percent of the GDP in the U.S., this is an industry most cloud services can’t afford to ignore.
Coming up we’ll discuss the basics of HIPAA compliance, its importance and how business that work with patient data can get compliant themselves. For many businesses, that means finding cloud services that are HIPAA compliant, so we’ll make some recommendations on that front, too.
What Does it Mean to be HIPAA Compliant?
HIPAA is ultimately about patient privacy. It’s the U.S. standard for protecting sensitive patient data, including personal health information (PHI) like doctor’s notes and your prescription records and personally identifiable information (PII) like payment and health insurance information.
The original version of HIPAA was passed by Congress in 1996 and signed into law by President Bill Clinton. While it covered a number of different issues not necessarily relevant to medical records, in recent years those guidelines in particular have gained increased prominence as data has shifted to the cloud and the Department of Health and Human Services (HHS) has revised HIPAA to keep up.
Two critical additions came in 2000 and 2003: the Privacy Rule and the Security Rule. The Privacy Rule set federal mandates designed to protect patient medical data. The Security rule set standards for electronically-stored patient medical data and its safe handling. As a result, companies compliant with HIPAA today have in place are a mixture of technological, physical and procedural security safeguards developed around ensuring privacy.
Further, HIPAA provides a procedure to follow in the event there is a data breach that includes notifying HS and affected parties. It also gives the HHS the right to audit a business’s compliance documentation.
In light of the many recent data breaches, it is important to note that HIPAA does not require entities to guarantee the security of data. Instead, it simply provides the guideline that they use a combination of state-of-the-art technological safeguards combined with good procedures to do the best job possible at protecting information.
Who Needs to be HIPAA Compliant?
HIPAA compliance means making sure that patient data gathered in hospitals and doctor’s offices is kept safe. However, HIPAA’s reach these days extends far beyond smell of disinfectant and sounds of patients coughing.
Much of that is thanks to the 2009 Health Information Technology for Economic and Clinical Health Act (HITECH Act). With its passage, HIPAA also covered businesses associated with or providing services to entities covered under HIPAA.
That means in addition physician offices, hospitals, pharmacies and other practices that generate medical records, HIPAA covers business that don’t provide direct care but still touch patient data. That includes consultants and insurance companies. It also includes businesses that provide software as a service designed to work with patient data.
For example, a mobile application like Pigeon that allows you to text your doctor needs to be HIPAA compliant. You can also get a HIPAA compliant version of your Gmail account.
The rules apply to cloud services, too, that wish to host medical records for healthcare organizations and their associates. That includes online backup providers like you can read about in our IDrive for Business review. It also includes niche cloud storage services like Sync.com and enterprise sync and share (EFSS) services like Egnyte (Egnyte review).
Steps to Becoming HIPAA Compliant
For a business, attaining and staying compliant with HIPAA is probably much easier than you would expect. You may want to engage an expert familiar with HIPAA, risk management and compliance audits to spearhead the process. However, taking those steps opens up many new revenue streams.
The basic approach to achieve compliance is to look through information systems to identify potential weaknesses (risk assessment) and then put in place technical, physical and procedural safeguards to correct those weaknesses (risk mitigation).
There are three types of safeguards that need to be given attention:
- Technological safeguards: These are the many different ways to control and record access. They can include measures such as system-enforced password changes at regular intervals, limiting access privileges to only those who need to see information, data encryption and keeping logs of access and changes to records
- Physical safeguards: These measures can be as simple as whether the doors are locked at night and whether there is a remote server backup in place in the event of a problem. This will also include policies on workstation access and employee use of media such as USB drives
- Procedural safeguards: These are data integrity checks such as regular backups that ensure the data is both accurate and uncorrupted. This also gets into disaster and breech identification and recovery to ensure someone is regularly checking the system and catches problems in a timely fashion
Businesses also need to document what’s been done to become HIPAA compliant and document certain actions going forward.
Once a business documents that it meets these criteria, it can enter into Business Associate Agreements (BAA) with direct healthcare industry professionals and their associates. BAAs state that the business will maintain adherence with HIPAA regulations and that it acknowledges its responsibility to report certain system failures and virtual attacks.
If you plan on working with patient data and using a cloud file-hosting system, it may be necessary to pick cloud storage and online backup services that are HIPAA compliant, themselves. You can tell these services are compliant by their offering of a BAA.
Protecting Medical Records in the European Union
In the European Union, data protection is part of Article 16 of the governing treaty with Data Protection Directive 95/46/EC, which all nations have adopted as part of their laws. It has specific sections addressing healthcare data, it’s uses and the sharing of this data for both personal and public interest.
While HIPAA is, at it’s heart, a guideline to use best practices and good documentation, the Data Protection Directive is much more detailed in the security protection measures required. U.S. businesses looking to comply with the EU’s directive can take advantage of the U.S.-EU Safe Harbor Framework. It is important to be aware of both because, for a storage provider, the location where the data is physically stored will affect which set of rules that must be complied with.
Final Thoughts
For major cloud service providers, being HIPAA compliant opens a wealth of opportunities as far as working with businesses in the healthcare sector. It also gives customers in other industries a standard against which to judge your security practices and policies. While HIPAA does not require that everything be perfect, it does require that there be enough procedural checks to ensure problems are caught and dealt with in a timely fashion.
If you work with patient medical records yourself and intend to make use of cloud storage to collaborate with your associates or online backup tools to protect your devices and servers, knowing which services are HIPAA compliant and which aren’t is critical to making sure you don’t put your endeavors into legal jeopardy. Be sure to always look for that BAA.
Questions or comments? Let us know in the comments below; thanks for reading.