08-08-13 | Blog Post
The Center for Democracy and Technology, a nonprofit public policy organization, has recognized cloud computing as a viable solution for data use – from email and document storage to specialized enterprise services such as CRM software and full servers.
They acknowledge the healthcare industry’s general uncertainty about cloud security, but in response, state that “there is nothing inherently dangerous about cloud computing…healthcare organizations should be able to benefit as much as other sectors have from cloud computing.”
Relevance: the ONC (Office of the National Coordinator for Health Information Technology; the federal entity behind health IT legislation and innovation) retweeted the CDT’s article, Demystifying HIPAA and the Cloud, therefore somewhat legitimizing its credibility.
The CDT released a cloud computing FAQ – while they define cloud infrastructure as a service (IaaS) as:
In this model, the CSP focuses on providing hardware, networking and associated maintenance only. All aspects of the hardware configuration, operating systems, software installation, and maintenance are the responsibility of the customer.
Distinctions are sometimes drawn between “public” and “private” cloud services. This FAQ focuses on “public” cloud computing services — those in which health care entities use a third-party CSP for some or all of their cloud computing needs.
It’s important to note that some cloud service providers do offer private clouds – meaning your SAN (Storage Area Network) disks, hosts and servers are completely dedicated to your organization. This means all of your compute, memory and disk performance is reserved for only your use, whenever you need it.
Additionally, HIPAA compliant clouds can provide additional reassurance that your ePHI is secure, particularly if your cloud service provider has undergone a HIPAA audit to ensure they are following the physical, administrative and technical security standards required to protect healthcare data.
In response to the question, “Is a cloud service provider (CSP) a business associate under the HIPAA Privacy Rule?” The answer is yes.
The CDT’s cloud FAQ also answers the question, “Can healthcare providers choose to store protected health information (PHI) in the ‘cloud,’ and why might they want?” with:
Cloud computing can offer increased computing speed, capacity, flexibility, and security at significantly lower cost. Because CSPs focus entirely on ensuring reliable, high-availability access to information technology resources, health care organizations (like others) may find that it is substantially cheaper to obtain these resources from CSPs rather than trying to provide them on their own from within their organization.
Other benefits they list include:
Another point they make is that “HIPAA compliance” is not a certification or compliance regime recognized by the Dept. of Health and Human Services, a valid point indeed. Claiming compliance isn’t the same as delivering on the promise of data security and “a track record of working securely with PHI” – so check your HIPAA hosting provider for healthcare cloud case studies to verify they are familiar with the healthcare field and can successfully offer secure solutions that work.
The CDT goes on to list specific types of certifications that a healthcare provider should consider when selecting a CSP, including:
If you’re interested in reading more about HIPAA and healthcare clouds, you might want to check out:
What to Look for in a HIPAA Cloud Provider
The deadline draws near – September 23, 2013 marks the date of when both business associates (now including cloud service providers) and covered entities must meet the HIPAA Omnibus rule, released in January to update the 15-year-old law. A refresh … Continue reading →
No Encryption or BAAs: Keep PHI off Unsecure Clouds
Google Drive, formerly Docs, is a free collaboration tool that can be used to store and manage large amounts of data – unless that data falls under the scope of protected health information (PHI); that is, personal patient health record … Continue reading →
How the HIPAA Cloud Protects PHI for Physician Software as a Service (SaaS)
How does the HIPAA compliant cloud support and enable progression of health IT and patient care? By creating a high availability, reliable data and application hosting infrastructure that’s secure enough to meet healthcare industry data security compliance regulations, like the Health … Continue reading →
References:
FAQ: HIPAA and “Cloud Computing” (PDF)