Maintaining compliance with the HIPAA standards governing Protected Health Information (PHI) is difficult enough in a tightly controlled, enterprise-owned IT configuration. Doing so becomes much more complicated in the short term, but potentially easier in the end, when businesses move to the cloud. On one hand, cloud providers with robust systems can do much of the data and system management heavy lifting, easing the technical burden on businesses and allowing them to focus on policy matters. However, things aren’t always so simple in the HIPAA world. With that in mind, here are three of the most important issues to consider when working to ensure HIPAA compliance in the cloud:
1. Get proactive in adjusting to HIPAA standards
In many cases, businesses are playing a game of perpetual catch-up when it comes to HIPAA compliance, and the issue stems from the standard itself. Speaking at the Healthcare Security Forum, industry expert and lawyer Matt Fisher told audiences that HIPAA was designed and implemented at a time when many of the IT solutions gaining mainstream prominence, including the cloud, weren’t in wide use in the health care industry, Healthcare IT News reported. Because of this, HIPAA regulations are constantly changing, and businesses are stuck in a cycle of finding new problems and needing to react.
2. Ensure you understand nuanced HIPAA terminology
Electronic Protected Health Information, business associate agreement, information de-identification: These terms show up throughout HIPAA compliance conversations, and they represent the core of the regulation.
In essence, HIPAA exists to enforce quality standards that help keep personally identifiable health information in all forms private. The laws extend out to business associates, such as cloud providers, so you need to align your HIPAA strategies with the capabilities of your vendor. Responsibilities should be set forth in a clear business associate agreement. However, information de-identification can be a simple way to move data into the cloud without risk because de-identified data no longer falls under HIPAA’s purview. None of this is simple, but it is key to understand the ins-and-outs of these terms if you want to maintain compliance.
A Compliance and Ethics guest blog by Grant Elliott, the co-founder and president of the Health Care Cloud coalition, detailed six of the most common questions that come up when health care providers start thinking about HIPAA and the cloud. Four of those questions involved how these core terms apply in action. Any regulatory standard will have its own language and terminology. Understanding key terms is critical to demystifying compliance.
3. Take vendor partnerships extremely seriously
A signed business associates agreement is critical to determining the responsibilities of the cloud provider and those of your organization. However, you shouldn’t just look for a cloud service that claims HIPAA compliance, sign a BAA and consider yourself safe. The reason is surprisingly simple: There’s no such thing as a HIPAA-compliant certification for technology providers. Instead, most vendors claiming compliance have probably completed an internal audit or brought in a third-party expert to assess their systems and are claiming compliance accordingly. It’s up to you to do your homework and make sure those audits are accurate and up to date.
According to Healthcare IT News, Fisher went as far as to tell audiences at the Healthcare Security Forum that some cloud providers are trying to deceive health care providers.
“There’s no such thing as being designated HIPAA compliant or certified,” Fisher explained to conference attendees. “A product, by itself, cannot be compliant. HIPAA applies to covered entities and business associates. Relying on statements from vendors will just lead you into trouble.”
Instead of seeking a blanket claim of compliance from a cloud service, organizations need to assess the technology, processes and culture of solution providers. The Google cloud is designed with such a philosophy in mind as the platform is built around processes and procedures that promote compliance as opposed to making broad promises.
A Google Cloud Platform guide on HIPAA compliance provides an excellent example of the kind of genuine transparency businesses should look for. The article almost immediately goes out of its way to highlight that it is providing advice and guidance and points out that there isn’t an official certification for compliance. Instead, Google advises an approach of shared responsibility between the cloud provider (in this case Google) and the customer. From there, the blog highlights some of the ways the Google cloud supports HIPAA compliance, while also specifying customer responsibilities and providing general guidance.
This type of visibility and assistance can be instrumental in helping organizations achieve HIPAA compliance as they move into the cloud, and Dito can take these benefits to another level. As a Google Cloud Premier Partner, we have helped many companies navigate the confusion of maintaining compliance in heavily regulated industries. Whether you are trying to enable your organization with mobile-friendly cloud productivity tools or shifting sensitive workloads to the cloud, our certified cloud engineers can guide you through the migration.