Pointers for HIPAA Compliance in the Cloud
SaaS applications like G Suite, Office 365, and Salesforce are revolutionizing the healthcare industry with improvements to agility, connectivity, and accessibility. On the flip side, Public Health Information (PHI) breaches are also on the rise and proper data protection remains a top concern.
That is because PHI data is incredibly valuable on the black market; worth 10 times more than credit card information. In the first couple of months in 2017 alone, the US Department of Health and Human Services (HHS) collected over 11 million dollars in fines due to PHI data breaches. It worked out to an average of $2.8 million per fine. Apart from the fines, the loss of data, legal costs, and damage to reputation can be prohibitively expensive, if not impossible to recover.
How can your organization be “HIPAA-Compliant”? Here are a few pointers…
- It’s your Responsibility: HIPAA mandates that covered entities (healthcare providers) and their business associates must comply with the HIPAA. Both covered entities and business associates must conduct risk analysis to identify and assess potential threats and vulnerabilities to the confidentiality, integrity, and availability of all ePHI they create, receive, maintain, or transmit.
- Sign a Solid BAA: A covered entity can engage a CSP to store e-PHI provided that it enters into a HIPAA-compliant Business Associate Agreement (BAA). The CSP is both contractually liable for meeting the terms of the BAA and directly liable for compliance with the applicable requirements of the HIPAA Rules. Don’t skip the BAA! It cost Oregon Health & Science University $2.7 million because they did not have a BAA with their CSP.
- No one’s “HIPAA-endorsed”: The HIPAA Rules do not endorse, certify or require specific types of technology/products or providers.
- Check your CSPs: The BAA is required even if the CSP handles only encrypted ePHI and lacks an encryption key for the data. A CSP providing such “no-view” services is not exempt from HIPAA Rules.
- Vet your Vendors well: The HHS even published a newsletter highlighting the risks inherent in third-party and custom application software.
- Remember the three main HIPAA e-PHI rules:
- Privacy Rule: The CSP must still ensure that it only uses and discloses the encrypted information as permitted by its BAA and HIPAA’s Privacy Rule. The BAA must require a business associate to return or destroy all PHI at the termination of the BAA where feasible.
- Security Rule: All ePHI must be properly secured from unauthorized access (a breach), whether the data is at rest or in transit. Physical, technical and administrative safeguards have to be put in place to protect the PHI.
- The Breach Notification Rule: All covered entities and business associates (including CSPs with no-view services) must report data breach incidents to the HHS.
- Beware of Gaps in CSP Data Protection: While CSPs like Google, Microsoft, and Salesforce do an expert job of safeguarding your data they cannot protect you from mishaps that happen on your side of things. These mishaps include accidental/malicious deletion, sync errors, hacking and ransomware. As the Protenus Breach Barometer Report 2017 reported hacking is responsible for 53% of breached Patient Records.
- Gain Peace of Mind with a Backup Solution: Apart from the financial implications—hefty fines, patient compensation, legal costs, etc. there are immeasurable business losses—damage to reputation, business downtime, loss of customers, etc. And let’s not get started with being featured on HIPAA’s Wall of Shame. The way out? An efficient backup and restore solution. According to HIPAA Rules, covered entities “must securely back up “retrievable exact copies of electronic protected health information” and must be able to fully “restore any loss of data.” Furthermore the Security Rule mandates that the backup should be frequent, encrypted, tested and stored offsite. Most CSPs too recommend implementing a third-party backup solution to augment the protection they’re able to provide.
The onus is on us. Having a robust data protection plan to rapidly prevent and /or recover from data loss is not a nice-to-have anymore, but a necessity.
Further Reading:4 Top Data Considerations for Healthcare IT