HIPAA Compliant Cloud Storage

What does HIPAA stand for?

HIPAA, the Health Insurance Portability and Accountability Act, sets the standard for protecting sensitive patient data. Any company that deals with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place and followed. It was formed in 1996 and, among other things, protects patient health information.

Who has to comply with HIPAA?

HIPAA applies to two groups:

  1. Covered Entities: Covered entities are defined in the HIPAA rules as  
    • Health Plans
    • Health Care Clearinghouses
    • Health Care Providers, who electronically transmit any health information in connection with transactions for which HHS has adopted standards.
  2. Business Associates: A business associate is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involves access by the business associate to protected health information. It includes CPA, Attorney, Laboratories, IT Providers, Billing and Coding Services.

For detailed information, please visit the Health & Human Services (HHS) website.

HIPAA violations  

HIPAA violations are expensive. Based on the level of negligence, the penalty for non-compliance can range from $100 to $50,000 per violation, with a maximum penalty of $1.5 million per year for violations of an identical provision. Violations can also carry criminal charges that can result in jail time.

Does HIPAA apply to Cloud Storage?

Yes, it does. When PHI is stored on behalf of the healthcare organization the cloud service becomes a business associate and thus must be HIPAA compliant. The law protects privacy, integrity, and accessibility. The Security Rule, which addresses electronic PHI, includes physical and technical safeguards such as audit controls and access controls. It also administrative safeguards such as data backups and security incident procedures.

Healthcare Industry – The Prime Target

The healthcare industry is one of the primary targets for cybercriminals. Stats reveal that a total of 113.2 million healthcare related records were stolen in 2015. Recent studies also say that healthcare has been the industry with the highest number of data breaches. And this stolen data could be  used by the cyber attackers for many fraudulent activities such as stealing identities, procuring drugs, for filing fraudulent claims, pursuing treatment using another identity, etc. and these criminals even sell the patient records for anywhere between 1-5 dollars per record and complete set of medical records for more than $1000 on the darknet. The healthcare industry attracts the security hackers because medical records are lucrative to sell and are easy to hack.

Medical identity theft is increasing at an alarming rate. But the healthcare industry still lags in terms of preparedness when comes to implementing security protocols. So far in 2017, 79 security breaches, each affecting at least 500 patients, have been reported to the U.S. Health & Human Services Department. And this hacking trend is likely to stay or even increase over the coming years. Medical records contain lots of information about the patient like their full name, address, insurance details, social security number, diagnosis details, driver’s license, credit card numbers and a lot more. This information from the medical records can be used for fraudulent billing, prescriptions, etc. By hacking these information cybercriminals make a significant amount of money. According to NBC News, complete health records are going for $60 each.

Steps to be taken by the healthcare industry to prevent data breach:

         Plan sufficient budget for security purposes to curtail or minimize data breach

         Choose the right technology solution to protect patient health data

         Adopt latest technologies to mitigate data breach

         Most of all, ensure the solution you choose is HIPAA compliant

         HIPAA Education for employees – Make sure all employees know what personal health information can and cannot be shared with patients, caregivers and outsiders

         Ensure IT secures the devices it issues employees

         Get rid of the paper records once it is scanned and imported into your EHR

         Encrypt data and also hardware

         Take Identity and Access Management seriously, provide individual specific access to patient health records.

Cyber threats are increasing at an alarming rate. The healthcare industry is the prime pick needs to make smarter decisions to operate their business. The healthcare providers need to have a clear understanding of how industry regulations impact cloud adoption and what has to be looked into while choosing a cloud storage service provider. A cloud storage service becomes a business associate if they store Protected Health Information (PHI) on behalf of any healthcare organization. Also, cloud service providers need to sign a business associate agreement with the healthcare organization that specifies the vendor’s compliance with HIPAA requirements. As a basic step, healthcare providers should ensure that the PHI is encrypted in the cloud. And make certain that the policies, technology, and processes required are in place to eliminate risks.

According to the U.S. Department of Health and Human Services, a HIPAA compliant cloud service provider should have certain administrative, physical and technical safeguards to host your data. Here’s below in detail of what constitutes a HIPAA compliant data center.

Physical Protection: It includes limited facility access and control with authorized access in place. All the covered entities or companies that must be HIPAA compliant must have policies about use and access to workstations and electronic media. This includes transferring, sharing, removing and disposing of any electronic protected health information (ePHI).

Technical Protection: This requires access or control to only those who are authorized to access electronic protected health information. It includes unique user ID’s, user-specific access, emergency access procedure, automatic log off, encryption and decryption. Audit reports and tracking logs should be implemented to help track any security violation.

Technical Policies and Procedures: This should cover integrity controls and also ensure the ePHI is not altered or destroyed. It should also ensure any IT disaster recovery and offsite backup are key to ensure any electronic media errors can be resolved and patient health information can be recovered intact.

Network Security: This requires HIPAA compliant host to protect against any unauthorized public access of ePHI.

On February 17, 2009, a supplement act called The Health Information Technology for Economic and Clinical Health (HITECH) Act was passed, an act which the enforcement of HIPAA requirements by raising the penalties of health organizations that violate HIPAA Privacy and Security Rules. The HITECH Act addresses the privacy and security concerns associated with electronic transmission of health information.

Patient health records are full of personal information and are a prized target for cybercriminals. Hence it is essential to protect the patient data. The HealthViewX Solutions keep patient data safe and secure with HIPAA Compliant cloud storage and ensure complete security to protect sensitive data.