Are you responsible for the privacy of anyone’s protected health information? If you do, you face some unique challenges for data protection and legal compliance.
The Health Insurance Portability and Accountability Act of 1996 or HIPAA, introduced standards to protect patient information made more vulnerable with the rise of electronic technology. Since then, the law has been updated to keep up with technology and has included special-case situations that cover HIPAA compliant cloud storage.
Who is Responsible?
Any healthcare provider that stores protected health information (PHI) must conform to HIPAA requirements. If they hire any cloud computing service provider, that company must also meet the requirements set by the law.
The two businesses by law maintain a BAA, a business associate agreement in which the cloud service company states they are HIPAA compliant.
The healthcare provider must understand exactly how the service provider is protecting the patient information to accurately judge their own risk.
There are two types of data that are at risk in any industry: data at rest and data in motion. Imagine that you have a computer with patient records residing on it. That is data at rest.
Then, imagine that you send a prescription to a pharmacy over the Internet, or upload lab results to a patient portal. That is data in motion.
Both types of data need to be encrypted–only able to be read by authorized users. Your IT management company must also offer:
- Strict authorization within a permission-based system
- Access monitoring–who is looking at or downloading files
- Encryption for data both at rest and in motion
- Audit trails
Handling Data Breaches
When choosing a HIPAA compliant storage service, you, as a covered entity, should ask about their cybersecurity incident response plan. Data breaches are becoming increasingly common, and a company responsible for storing your patient’s data needs to be proactive in developing ways to keep it safe.
Be familiar with the plan yourself, so that you can be an active part of fixing the breach and preventing future exploits. You’ll also know which authorities to notify, and next steps in case of an exploit.
Know What You Want
It’s important for you to understand what you want out of a HIPAA compliant cloud storage service. You’ll need to ask yourself how the data going to be shared. Who will it be shared with?
Are you going to use the cloud service as a backup? What are your options for expansion? Making the right choice at the beginning can save you from costly data transfers later if you outgrow your service provider.
Your service provider should employ technicians that are completely familiar and comfortable with HIPAA compliance. These are the people who will help you identify your needs and assess your patients’ data security.
Check out our free HIPAA risk assessment tool, and let us know if we can help protect both you and your patient’s private information.