Keep ePHI Secure in the Cloud
January 13, 2017
Healthcare organizations have a responsibility to protect the privacy of their patients. As noted in the MedCityNews article, ePHI Security Issues in Cloud Computing, “as patient data becomes more digital, more stringent regulations to protect patient privacy and secure patient data is required. In the U.S. the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is the standard that medical facilities have to follow.”
HIPAA and the Health Information Technology for Economic and Clinic Health Act of 2009 (HITECH) consider (ePHI) on covered entities – i.e. healthcare providers and clearing houses. This is the case wherever the data is currently residing, including in the cloud under the management of one or more managed cloud services. This means if there is a violation, the cloud provider is held responsible for the loss of data, not the hospital or clinic.
Rely on the Cloud for Security
Storing data locally, or at another local building is not the smartest move. Natural disasters can create city-wide havoc that can destroy both sets of stored data. According to Chris Brian, CIPP/US, “…hosting vendors store, transmit or process ePHI, they must comply with the same mandates for data protection as the healthcare provider.” This usually requires them to sign a business associate agreement, which requires that healthcare provider vendors must:
Regardless where the data is located, the storage provider is responsible for distribution, use, maintenance, storage and destruction of data.
What to Ask a Cloud Service Provider
When contacting managed cloud services you should do your own research to ensure that ePHI is protected. A healthcare provider should ask the following questions of their potential cloud provider:
Businesses and their agents are directly liable under HIPAA. Covered corporations are also responsible for any actions of their business associates and contractors down the chain of command.
Subscribe now and stay up to date with News, Tips, Events, Cybersecurity, Cloud and Data Compliance.