Healthcare providers are often overwhelmed when trying to evaluate which IT service providers deliver services that will truly help them achieve HIPAA compliance (Health Insurance Portability and Accountability Act).
Despite new provisions enacted by Health and Human Services (HHS) designed to hold IT service providers more accountable for security and privacy lapses, many cloud providers have not defined specific products that are HIPAA compliant. Covered entities and health care clearinghouses should carefully evaluate cloud providers products to determine how they deliver solutions designed to meet confidentiality, integrity and availability provisions required by HIPAA.
Before moving any electronic protected health information (ePHI) into the cloud, covered entities and health care clearinghouses should ask the following questions:
1. Are there provisions in the service providers terms of service or business associates agreement that clearly outline how HIPAA compliant products are supported?
Key elements to consider include, disaster and business continuity processes and procedures and security provisions designed to preserve the confidentiality, integrity and availability of ePHI. Many of these necessary services may be available at an additional fee. Covered entities should evaluate service offerings to determine if the scope of disaster recovery and security services are adequate.
2. What security products/solutions are required to protect cloud systems storing ePHI?
At a minimum, anti-virus, operating system patching and systems event logging are required for systems storing ePHI. Systems that store ePHI that are internet accessible must be protected by a firewall. Many service providers may charge additional fees for these services or may offer enhanced security and monitoring services (ex. intrusion prevention/detection) for an additional charge. It is important for covered entities to ensure all of these elements are in place and that the service provider has a clear plan to escalate or assist the covered entity in the event of a security incident or breach.
3. Are disaster recovery services included in the services offered? Does the service providers offer service level agreements (essentially a time committments to restore services in the event of a disaster or prolonged outage)?
Not all ePHI is critical, access to some ePHI could be the matter of life or death in the event of a disaster while other ePHI may not be as critical. Covered entities should ensure the products they use can support availability requirements based on the criticality of their ePHI.
4. What is my service provider’s role in helping detect and respond to security incidents or breaches?
Service providers should have clearly defined procedures defined to assist covered entities monitor and manage ePHI systems. Procedures for investigating security incidents and escalating potential or actual breaches should be well defined.
HIPPA requires service providers deliver privacy and security training to employees and maintain processes and procedures to thoroughly investigate security incidents. Look for providers who have:
- significant experience delivering cloud services securely
- mature security programs based on industry best practice standards (like ISO 27001 and ISO 27002)
- preform third party audits designed to evaluate the provider’s security like SSAE16/SOC 2 reports
- formal incident response processes and commit to promptly investigating and notifying covered entities (usually within five days or less) in the event a security event is identified
5. What type of controls does the service provider have in place to ensure products remain HIPAA compliant?
Covered entities should look for service providers who formally validate their HIPAA programs using the HHS privacy and security audit protocol at least annually. Mature service providers will have dedicated compliance teams or third parties who are responsible for validating compliance with all aspects of HIPAA.
Partnering with the right IT service provider helps significantly reduce the complexity of maintaining ePHI in the cloud. Covered entities and clearinghouses who partner with service providers with a long history of delivering secure and reliable cloud solutions will significantly enhance their own ability to achieve HIPAA compliance.