Imagine, for a moment, a worst case scenario involving HIPPA compliant cloud storage.
Imagine you're a hospital IT director who discovers a skull-and-bones graphic on his computer screen, and a patient data ransom demand for $50,000 in bitcoins. Worse, the director realizes that he was just about to implement measures to comply with the HIPAA Security Rule – but hadn’t gotten around to it yet. Maybe he could buy a winning lottery ticket and make a run for the Caribbean?
Moral of the story: administrators always need to embrace HIPAA compliant cloud storage – without delay. So let's take a look at what this involves.
HIPAA stands for Health Insurance Portability and Accountability Act, which Congress passed in 1996 to secure protected health information (PHI). The regulations cover how the healthcare industry collects, stores, shares, and transmits PHI, particularly electronic PHI (ePHI).
In 2009, Congress enacted the Health Information Technology for Economic and Clinical Health (HITECH) Act. HITECH strengthens security and privacy regulations for HIPAA-regulated data.
In 2013, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights added a final rule to HITECH called HIPAA Omnibus Rule. The new set of regulations strengthens privacy rights and protections.
What are Covered Entities?
Covered entities (CE) are the businesses and individuals that are subject to HIPAA privacy rules: they create, receive, or transmit PHI. Covered entities include healthcare plans, healthcare providers, insurance brokerages, and more. CEs are ultimately responsible for complying with relevant regulations.
For example, HITECH governs data stored in electronic health record systems (EHR), while HIPAA governs backup data with Data Backup and Disaster Recovery Specifications.
Covered entities may contract with business associates (BA) who access ePHI on behalf of their customers. Cloud providers and managed service providers (MSP) are common business associates. Although the CE maintains ultimate responsibility for protecting and securing PHI, HITECH strengthened compliance rules for business associates.
How Bad are the Penalties?
The HITECH Act added extra protections to HIPAA, and increased noncompliance penalties. HIPAA penalties used to be just $100 per violation, and no more than $25,000 per year for the same violation. It was often cheaper for covered entities to be in non-compliance than upgrading data security and administrative systems.
The new penalties have much bigger teeth. Violation fees still start a $100, but can zoom up to $50,000 per violation depending on how shocked the regulators are at levels of non-compliance. Instead of $25,000 maximum per year for identical violations, the cap is now $1.5 million.
The healthcare industry is rapidly digitizing data, and using electronic transmission to share PHI with any number of providers. Cloud storage lets healthcare providers offload massive amounts of data to the cloud, taking advantage of the cloud’s scalability, flexibility, electronic sharing, backup, security, and reasonable cost.
But this popularity has a shadow side: can the CE ensure that their cloud provider is in HIPAA compliance? Does their HIPAA compliant offsite backup follow all regulations?
Many cloud storage providers announce that they support HIPAA, which means that their data centers and data management practices comply with privacy and security rules. However, they may or may not help their CE customers with configuration. This puts CEs at risk of non-compliance because they did not understand how to configure their own cloud data settings to be compliant. And some cloud providers may claim HIPAA compliance, but are unwilling to sign business associate agreements (BAA).
A signed BAA confirms that the cloud provider is HIPAA-compliant with physical and digital security, ePHI privacy, storage management and backup technology, user authentication, and administrative practices.
HIPAA compliant cloud storage requires a well-defined security policy, compliant file transfer, and secure infrastructure.
When reviewing a cloud provider, review how well they are compliant with HIPPA’s three major ePHI protection rules: the HIPAA Privacy Rule, the HIPAA Security Rule, and the HIPAA Breach Notification Rule:
- The HIPAA Privacy Rule protects against the invasion of patient privacy. In 2013, Shasta Regional Medical Center (SRMC) was fined $275,000 for sharing information about a patient to the media first, then to its entire staff – about 900 people – in a detailed email. The patient complained that the hospital shared her medical information out of revenge, because the patient had complained to the media about her treatment.
- The HIPAA Security Rule guards against the theft and exposure of patient data by adopting secure administrative, physical, and technical security practices. In 2012, a hospital system paid a $5.5 million settlement for violating HIPAA Privacy and Security Rules. Over a year’s time, 12 employees had deliberately used an ex-employee’s login to access the ePHI of over 115,000 patients. Two employees were especially enterprising: they used ePHI to sell stolen social security numbers and file fraudulent tax returns.
- The HIPAA Breach Notification Rule requires CEs to notify affected patients and HHS as soon as the CE discovers a data breach. CEs that experience data breaches affecting more than 500 people need to notify patients within 60 days of discovering the breach; CEs with smaller breaches must notify, but have longer deadlines. 500+ breaches also require CEs to notify the media, and post about the breach on a prominent place in their website. In 2017, a healthcare network agreed to a $475,000 settlement after a series of breach notification delays dating back to 2013.
HIPAA compliance in the cloud doesn’t happen by accident. First, when you’re looking for cloud provider, make sure that they publicly state HIPAA compliance. Not all HIPAA-compliant cloud providers will sign BAAs, so it’s time to read the small print.
Know the services that you want to contract with a provider. If any of the services involve ePHI, then ask the provider if they’re willing to sign a BAA for those services. Also ask questions around risk assessment, infrastructure, encryption, physical security, and protections in multitenant environments.
Look for cloud providers that are HIPAA-compliant and that will sign a BAA. That does not mean the CE can sign on the dotted line and walk away. Most HIPAA-compliant cloud providers operate under a shared responsibility model, where the CE and BA share compliance responsibilities. Here are some examples:
Google’s HIPAA BAA covers Google Cloud Platform (GCP) infrastructure. The CE is still responsible for creating a secure environment and applications they build in GCP, including backing up ePHI. Google will also sign a BAA for select G Suite applications including Gmail, Calendar, Docs, Sheets, Slides, and Forms.
- From Google: “Customers who are subject to HIPAA and want to utilize any Google Cloud products in connection with PHI must review and accept Google's Business Associate Agreement (BAA). Not all Google Cloud products are designed to comply with HIPAA and only certain specified products are covered under the BAA.”
Microsoft offers a BAA for most Microsoft Online applications, including Office 365. Microsoft also signs BAAs for enterprise cloud services running on Azure.
- From Microsoft: “By offering a BAA, Microsoft helps support your HIPAA compliance, but using Microsoft services does not on its own achieve it. Your organization is responsible for ensuring that you have an adequate compliance program and internal processes in place, and that your particular use of Microsoft services aligns with HIPAA and the HITECH Act.”
Box is HIPAA compliant and will sign a BAA for its healthcare customers. Box also enables secure DICOM file (digital healthcare records) viewing and sharing.
- From Box: “The Box platform and associated products has been compliant with HIPAA, HITECH, and the final HIPAA Omnibus rule since November 2012. All PHI stored in Box is secured in accordance with HIPAA, and Box signs Business Associate Agreements (BAAs) with all clients who plan to store PHI in the cloud.”
Amazon signs a BAA for Amazon S3 Glacier data storage. It also offers a signed BAA for Amazon Web services, but customers must configure their own HIPAA compliant cloud storage. AWS will advise on the best configurations. Liked Google Cloud Platform, AWS subscribes to the shared responsibility model.
- From Amazon: “AWS has a standard Business Associate Addendum (BAA) we present to customers for signature. It takes into account the unique services AWS provides and accommodates the AWS Shared Responsibility Model.”