Understanding HIPAA document storage compliance in the cloud

Posted: Jan 29, 2015
Share This:

The adoption of electronic patient healthcare information (ePHI), and the widely reported data breaches throughout 2014 has raised concerns around data security, as more and more organizations shift towards implementing measures that could see paper PHI eliminated completely.

This is a particular concern for smaller organizations where implementing HIPAA compliant technologies may be a strain on resources. Fortunately, a number of companies are now offering HIPAA compliant technology solutions, such as cloud storage, encryption software and cloud based secure data transmission solutions.

Cloud technology offers a cost effective, less resource intensive solution for covered entities. Data stored in the cloud requires no expensive equipment, physical home or hired staff to manage and maintain it, and it can be accessed from anywhere.

The cloud offers a more secure solution than on-site data storage, or storage on portable devices. In most instances where data breaches have occurred, paper records and portable devices, such as hard drives and portable devices were the most vulnerable to breach due to loss, theft, or negligence. As cloud computing eliminates the need to store health information on such devices, HIPAA cloud storage – when managed correctly – is a far more secure solution.

Some healthcare providers may still be nervous about moving data storage to the cloud due to concerns that HIPAA Security Standards may not be met. However, modifications to the HIPAA Privacy, Security, Enforcement and Breach Rules confirms that data center operators are classified as business associates under HIPAA, meaning that by law they are required to report and respond to data breaches and uphold their obligation to properly protect ePHI. They may also be selected to take part in phase 2 HIPAA audits.

BA’s must not only prove that they meet the criteria for HIPAA compliance, but they must also sign a BAA (Business Associate Agreement).

This change helps to reassure covered entities that they can remain HIPAA compliant while adopting cloud technology.

Choosing a HIPAA Compliant Provider
Providers must be able to offer HIPAA compliant cloud storage, and must be able to demonstrate that they meet the requirements of HIPAA and the HITECH Act, which was introduced to ensure healthcare providers implement three safeguards with respect to the protection of ePHI.

The three safeguards – administrative, physical and technical – are the responsibility of both the covered entity and the business associate (in this case, the cloud provider). Each category within these safeguards includes shared responsibilities as well as safeguards that are the sole responsibility of each.

Physical HIPAA Safeguards
The physical safeguards are not the sole responsibility of the cloud provider, as the safeguard extends beyond physical locations such as data centres and server rooms. This safeguard also covers on-site workstations and portable devices. All cloud providers that state that they are HIPAA compliant must have policies about use and access to any physical location or device where ePHI is created, stored, or transmitted.

Administrative HIPAA Safeguards
The responsibility of adherence to administrative HIPAA safeguards applies to both the covered entity and the cloud service provider. Both parties require the appointment of an administrator, whose role it is to develop best practice policies, and inform and educate all who are accessing or transmitting ePHI. The role of these administrators also covers conducting regular risk assessments to identify any potential threats to the integrity of ePHI within their organization, and overseeing all physical and technical safeguards, especially in instances where there is a change to policy or technology within the organization.

Technical HIPAA Safeguards
The technical Safeguards are broken down into 5 standards that focus exclusively on the technology (such as servers, networks, computers, software and devices) that protect and control access to ePHI. These standards were designed to be “technology neutral”, meaning organizations do not need to select specific technologies to meet these standards.

These standards include a section on transmission security, which requires covered entities and their selected providers to have measures in place that protect against unauthorized public access of ePHI by using integrity controls and encryption. This concerns all methods of transmission, and so again, adherence to these policies is the joint responsibility of the covered entity, and the service provider.

A cloud partner must be able to demonstrate that they are meeting these safeguards and provide a copy of their HIPAA compliance report upon request. They should also be able to demonstrate a sound risk-management program, including how it mitigates possible data breaches, and show that they have an up-to-date knowledge of HIPAA regulations.

While cloud providers can lessen the burden of managing ePHI, it is important to remember that they are not solely responsibility for controlling ePHI. The healthcare organization will ultimately be responsible for making the final call on how this data is managed, and is therefore likely to share responsibility in the result of a breach.

Healthcare organizations should not use cloud based services that are unable to demonstrate that they are fully HIPAA compliant; the encryption of data when being stored in the cloud is simply not enough.

Encryption During Transmission is Crucial
Cloud file sharing offers flexibility and convenience, especially for healthcare professionals in the field, but there is growing concern that some practitioners are not using file sharing solutions that are compliant with HIPAA.

While the likes of Dropbox and Google Docs encrypt documents that are stored in the cloud, the files are unprotected again as soon as they’re downloaded to a device. The good news is there are ways to meet HIPAA standards using cloud solutions.

There are a number of providers that offer software products specially designed to encrypt documents shared through cloud-based services. Many are able to provide an end-to-end solution as files are encrypted even when they are synced to new devices or shared with other users. When selecting software, it is important to choose a provider that is able to remotely control and revoke access to files, and to audit them in order to see who has opened or shared them.

Cloud solutions ensure that data is backed up and even in the event of a major disaster, all documents can be safely retrieved, eliminating a huge number of concerns for business continuity managers.

The ability to sync documents across a number of devices is not only helpful for healthcare professionals, but the ability to be able to share files quickly and safely saves time and money too.

Although file-protection software offers a simple and effective way to store and share files safely, it may not be a complete end-to-end solution when transmitting ePHI. Email does not meet security standards during transmission – but secure cloud fax does.

Sfax provides a HIPAA compliant secure cloud fax service that meets all required and addressable standards under the technical safeguards. This, coupled with our smart technology, means we deliver the highest levels of security in relation to digitizing, processing and storing sensitive information – meaning your organization can be assured that its ePHI is in safe hands.