Healthcare data is increasingly being stored and used in the public cloud as electronically Protected Health Information or ePHI. One of the concerns healthcare organizations may have with cloud computing is a lack of control over their PHI data. This blog post outlines cloud, Protected Health Information, and compliance considerations for success.
The Cloud
Cloud computing is the term used to describe the provisioning of computer services over the internet. With cloud computing the resources that were typically local to an organization – computers, software, and data – are now hosted by third-party vendors or cloud service providers (CSP). Cloud computing is pay as you go; the upfront cost of setting up servers and databases on-premise are replaced with a metered approach where cost is determined based on the cloud resources used.
Cloud services can easily and automatically scale up and down in size and capacity as needed. Cloud can reduce infrastructure costs when compared to an on-premise solution. Software updates, hardware maintenance, etc. are performed by the cloud service provider with minimal intervention of the healthcare organization.
Protected Health Information
One of the concerns healthcare organizations may have with cloud computing is a lack of control over their PHI data. The Health Insurance Portability and Accountability Act (HIPAA) covers Protected Health Information (PHI) that could be used to identify health plan members or patients and specifies penalties if that data is disclosed. Examples of PHI are gender, phone number, physical and email address birth dates, gender, ethnicity, etc. PHI relates to physical records, while the HIPAA act defines ePHI as, “any PHI that is created, stored, transmitted, or received electronically” by a HIPAA covered entity or business associate.
Compliance Ensures Success
HIPAA considers healthcare organizations, such as providers or payers, to be covered entities while cloud service providers (CSP) are considered business associates. To be HIPPA-compliant the health care organization and the CSP must enter into a HIPAA business associate agreement (BAA) with both parties being responsible for meeting the terms of the BAA. The BAA is a contract that specifies the allowable uses and disclosures of PHI by the cloud service provider based on the activities the CSP performs for the healthcare organization.
A CSP can disclose or access protected health information only as permitted by the healthcare organization and allowed by law. Until a business associate agreement is in place and a risk assessment has been performed ePHI may not be moved to the cloud. A risk assessment is performed to identify risks and potential areas for exploitation in the environments and to suggest appropriate measures to minimize threats to the security and integrity of ePHI. Risk analysis must be done by both the health care organization and the cloud service provider.
With a risk analysis complete and a business associate agreement in place, the CSP and health organization may also enter into a service level agreement (SLA). This outlines issues such as how data will be returned to the health care organization once they stop using the CSP, backup and recovery of data, and any restrictions on the use and retention of data.
