Anyone who has done a Google search on private cloud servers and HIPAA compliance has likely come across dozens of companies that promise their services are compliant with HIPAA. This is a good thing since it means there are many choices out there. It also means that the industry is aware that HIPAA compliance is needed on their servers, which is a second excellent sign.
The problem is that not every company touting itself as HIPAA compliant is actually compliant. It also doesn’t mean you don’t need to do the required research to determine if a service meets all of the requirements to be HIPAA compliant. That is still your job. Because of that, we’re going to help you by explaining what to look for to ensure your storage company has HIPAA compliance with protected health information.
Cloud service providers may claim to be certified HIPAA compliant, but this is something to watch out for. The truth is that the United States Department of Health and Human Services, which is responsible for HIPAA, doesn’t recognize any certification programs for cloud service providers. The companies with this certification may or may not actually have the required security need for PHI.
Instead of looking for certification, look for a provider with the right processes and controls in place that comply with the needed HIPAA requirements. One of the ways to do this is to choose a provider that undergoes an annual independent audit of its cloud infrastructure and data center operations. This will provide a breakdown of particular audit criteria used by the entity responsible for enforcing compliance with HIPAA.
HIPAA Compliance Definitions
Those who are a covered entity under HIPAA have to comply with specific requirements. Business associates are anyone who performs functions or activities that involve disclosing or using PHI. One of the rules states that: “a data storage company that has access to protected health information (whether digital or hard copy) qualifies as a business associate, even if the entity does not view the information or only does so on a random or infrequent basis.”
Get a Business Associate Agreement (BAA)
Your service provider needs to provide a written contract, called a business associate agreement, as it will be handling PHI on your business’ behalf. This is crucial to have. The BAA explains what a supplier will do for the entity and that it will adequately comply with all HIPAA requirements to protect security and privacy of PHI.
One of the ways you can ensure that your provider understands your HIPAA requirements is by reviewing its HIPAA audit report on compliance. This is an audit that is conducted by a third-party to ensure the cloud service provider is doing everything correctly in regards to HIPAA compliance. The OCR Audit Protocol was adopted in 2012 and has a set of guidelines for the auditor. When viewing this audit, there should be all 169 requirements of HIPAA covered.
Encryption of Protected Health Information
Encryption is one of the best practices when it comes to data security. It is not mandatory according to HIPAA rules, but it is something that should be considered. If your data is somehow lost or someone gains access to it, when it’s encrypted, they won’t have access to the actual information.
Of course, there are other things to consider when choosing a HIPAA compliant cloud server provider, but this is a great start. As more healthcare companies become interested in moving to the cloud, more cloud providers are also involved in capitalizing on their business. Make sure you find one that offers exactly what you need when it comes to the cloud and HIPAA compliance options.