As more businesses operate in the cloud, the risk of hackers becomes more apparent. This environment remains dangerous and needs to be evaluated. The widespread use of mobile devices and the internet translates into more potential breaches for the physicians's office and hospital settings. The 2013 HIPAA Omnibus Final Rule was created to protect patient information.
So how do you protect your data environment and remain HIPAA compliant in the cloud? There are four questions you need to ask your third-party cloud provider.
- Did your third-party vendor sign a business agreement? The vendor that supports email, PHI, and/or voice applications needs to sign the agreement. During an audit by the Office for Civil Rights, they will ask to see the agreement. Click here for a sample Business Associate Contract.
- Does the vendor perform their own internal risk assessment? The vendor should be able to share their risk assessment with the potential client. Deficiencies should be addressed by the vendor.
- Can the vendor assist you with your risk assessment? Is your data encrypted for emails, how retrievable is your data, and will they be available to assist in the event of a breach?
- When choosing a business partner, how easily does the vendor make you compliant with HIPAA? Can they retrieve data after a hack? How easy is it to encrypt your email? Do they provide PHI in real time?
Non-compliance is a serious offense for the healthcare provider and third-party vendor. To date, fines have been over $60 million. Always think ahead and maintain HIPAA compliance.
For further guidance on how a medical practice can take advantage of cloud computing while complying with regulations protecting privacy, see the U.S. Department of Health and Human Services Guidance on HIPAA and Cloud Computing.
Submitted by Joseph Wager, MS, RCP
Senior Risk Management and Patient Safety Specialist
This information should not be considered legal advice applicable to a specific situation. Legal guidance for individual matters should be obtained from a trained attorney.