In 2016, HIPAA violation fines totaled nearly $23 million.
The pressure to meet compliance regulations is high; after over 25 years of serving the technology needs of DC-area healthcare organizations, we’ve seen both the requirements and the consequences of noncompliance increase dramatically.
If your organization is subject to HIPAA regulations, you might find yourself in a bit of a tough spot when it comes to cloud computing – while you want to offer your staff the mobility, flexibility, and reliability that the cloud has to offer, you don’t want to open your organization up to undue risk.
Unfortunately, many cloud solutions can do more harm than good from a compliance standpoint. We’ll explore this more below, and offer our recommendations on how to find a secure cloud solution for your organization.
What does it take to be HIPAA compliant?
According to the HIPAA Security Rule, organizations must implement the following to protect electronic Patient Health Information (ePHI):
- Administrative Safeguards including security awareness training, incident reporting, and periodic evaluations.
- Physical Safeguards including facility access controls, and workstation/device controls.
- Technical Safeguards including access control, audit control, data integrity, and authentication.
These safeguards are in addition to provisions of the Privacy Rule, which deals with patient rights to their PHI and how it is shared.
Why are most cloud solutions not HIPAA compliant?
As you can see, there’s much more to these regulations than just technology; no cloud solution by itself will make your organization compliant.
On the flip side, many consumer-grade cloud solutions will absolutely put you in direct violation.
The fact is that many cloud solutions are geared toward the consumer market, and therefore only have basic security features in place on the back-end. This means they are often not appropriate for any business, much less one that has advanced security requirements.
Some business-oriented solutions like Microsoft Office 365 and Google’s G Suite do take HIPAA into account. These few solutions are also careful to mention that their offering alone is not enough to make you compliant:
By offering a BAA, Microsoft helps support your HIPAA compliance, but using Microsoft services does not on its own achieve it. Your organization is responsible for ensuring that you have an adequate compliance program and internal processes in place, and that your particular use of Microsoft services aligns with HIPAA and the HITECH Act.
Our recommendation
If your organization is subject to compliance regulations, we recommend that you seek out a technology partner that is well-versed in those regulations.
With HIPAA, qualified providers will be willing to sign a Business Associates Agreement (BAA) with you, which – as the result of the HIPAA HITECH Act – will bind them to the same regulations by law.
If they have skin in the game, they are far more likely to adhere to all the right safeguards and training protocol, and to guide you toward the solutions that make the most sense for your organization.
For some related reading, here are a few more articles you might find helpful: