Healthcare organizations have a responsibility to protect the privacy of their patients. As noted in the MedCityNews article, ePHI Security Issues in Cloud Computing, “as patient data becomes more digital, more stringent regulations to protect patient privacy and secure patient data is required. In the U.S. the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is the standard that medical facilities have to follow.”

HIPAA and the Health Information Technology for Economic and Clinic Health Act of 2009 (HITECH) consider (ePHI) on covered entities – i.e. healthcare providers and clearing houses. This is the case wherever the data is currently residing, including in the cloud under the management of one or more managed cloud services. This means if there is a violation, the cloud provider is held responsible for the loss of data, not the hospital or clinic.

Rely on the Cloud for Security

Storing data locally, or at another local building is not the smartest move. Natural disasters can create city-wide havoc that can destroy both sets of stored data. According to Chris Brian, CIPP/US, “…hosting vendors store, transmit or process ePHI, they must comply with the same mandates for data protection as the healthcare provider.” This usually requires them to sign a business associate agreement, which requires that healthcare provider vendors must:

• Fulfill contracts to secure ePHI and control its use
• Satisfy the requirements of the HIPAA Privacy and Security Rules
• Be able to make their records related to ePHI available to their clients if they are audited
• Return or destroy all ePHI if their contract expires or is terminated.

Regardless where the data is located, the storage provider is responsible for distribution, use, maintenance, storage and destruction of data.

What to Ask a Cloud Service Provider
When contacting managed cloud services you should do your own research to ensure that ePHI is protected. A healthcare provider should ask the following questions of their potential cloud provider:

• Is the cloud provider familiar with healthcare practices?
• Has the cloud provider undergone HIPAA training?
• Where are the physical systems located, and does that cloud provider own them or borrow computer resources to meet spikes in demand? Data located in a different country will have regulatory jurisdictional issues and legal uncertainty.
• How available and reliable is the cloud provider? Availability and reliability are typically best efforts with general cloud providers. But best effort may not be good enough for critical application loads.
• What administrative, technical, physical and organizational policies and procedures are in place and designed to ensure that the cloud provider safeguards patient data?

Businesses and their agents are directly liable under HIPAA. Covered corporations are also responsible for any actions of their business associates and contractors down the chain of command.