The Health Insurance Portability & Accountability Act (HIPAA) sets standards for protecting sensitive data of patients in the cloud. Any company which is dealing with PHI (protected health information) needs to ensure all of the required network, physical, and process safety measures are properly followed. If you want to learn more about requirements of HIPPA, click here to learn more.
This includes CE (covered entities), anyone who is providing treatment, operations, and payment in health care, BA (business associates) with access to patient’s information stored in the cloud or those who provide support in payment, operations, or treatment. Subcontractors and associates of associates need to be in compliance too.
Read more about our HIPAA compliance here
Who needs HIPAA?
The privacy rule of the HIPAA helped address the saving, sharing, and accessing of personal and medical data of individuals stored in the cloud while the security rule is more specifically meant for outlining national security standards to help protect the health data which is received, maintained, transmitted, or created electronically, also known as e-PHI (electronic protected health information).
Technical and physical safeguards
If you're hosting data with HIPAA compliant hosting providers, they need to have particular administrative, technical, and physical safeguards in place as per the US HHS (Department of Health & Human Services). The technical and physical safeguards which are the most important for services provided by hosts are listed below:
- Physical safeguards include limited facility control or access with authorized access procedures. All entities need to be HIPAA compliant, need to have policies regarding the use and access of electronic media and workstations. This includes removing, transferring, reusing, and disposing of e-PHI and electronic media.
- Technical safeguards should only allow authorized users to access e-PHI. Access control will include the use of unique user ID's, emergency access procedures, automatic logoffs, decryption, and encryption.
- Tracking logs or audit reports need to be implemented in order to keep a record of activity on software or hardware. This is very useful when it comes to pinpointing the source or the cause of security violations.
- Technical policies need to be used for covering integrity controls and measures should be in place to confirm e-PHI has not been destroyed or altered. Offsite backup and IT disaster recovery are very important in order to ensure any electronic media errors or failures can quickly be remedied, and health information of patients can be recovered intact and accurately.
- Transmission or network security is the last safeguard needed of HIPAA compliant hosts in order to protect them against any unauthorized access or use of e-PHI. This concerns all of the methods for transmitting data, whether it is over the internet, email, or even on private networks, like a private cloud.
A supplemental act passed in 2009 known as the HITECH (Health Information Technology for Economic & Clinical Health) Act which supported the enforcement of all of the HIPAA requirements by increasing the penalties imposed on organizations who violated the HIPAA privacy or security rules. The HITECH Act was created in response to the development of health technology and increased storage, transmission, and use of electronic health information.
HIPAA has driven a number of healthcare providers to search for solutions that can help them secure cloud data. Medical information is very private, and regulation keeps getting tighter, which means enforcement is also getting tighter. There are a number of healthcare providers have chosen to move their whole EHRs onto a HIPAA compliant platform such as FileCloud in order to reduce their expenses and become more inter-operable across various other devices in a safe, HIPAA-compliant fashion.
Author: Rahul Sharma
images courtesy: freedigitalphotos.net/ Stuart Miles
By Team FileCloud