HIPAA Certified Cloud Provider
01/24/2014Back to Blog
The The Health Insurance Portability and Accountability Act (HIPAA) is a set of privacy, security and breach notification rules that contain regulations regarding business use and patient security. Within these conventions, it is the responsibility of the entity to ensure information is stored and secured in a way that meets HIPAA requirements. So, what exactly does that mean? It means it is your direct responsibility to ensure that your cloud provider utilizes the proper HIPAA security requirements.
What Are the Requirements?
HIPAA has a long laundry list of defined parameters for data security and storage of patient information. This includes encryption, detailed physical security and access control measures, specific backup requirements and perimeter network security and monitoring specifications, just to name a few.
HIPAA’s New Business Associate Regulation
HIPAA’s “Business Associate Agreement” was implemented on Sept. 23, 2013. A business associate is defined as a person or entity (other than a member of the workforce of a covered entity) who performs functions or activities on behalf of, or provides certain services to, a covered entity that involves access by the business associate to protected health information. A business associate is also a subcontractor that creates, receives, maintains or transmits protected health information on behalf of another business associate. HIPAA rules generally require that covered entities enter into a contract with their business associates to ensure the business associates will appropriately safeguard protected health information.
Part of the reasoning for this regulation is to ensure patients’ privacy regardless of where their information is stored – including the cloud. HIPAA is now holding all parties that come in contact with patient data responsible in the event of a breach. When the business associate and covered entities are held responsible, they are more likely to take the necessary security measures to protect themselves and the stored information.
So, How Many Cloud Providers Are HIPAA Certified?
Let’s answer the question we first posed to you: how many cloud providers are actually HIPAA certified? Exactly zero. That’s right; if you’re looking for a cloud storage provider that is certified as HIPAA complaint, you won’t find any because there are none. There is no certification for a cloud provider to become HIPAA complaint. In fact, there are exactly zero rules or regulations for cloud providers with respect to HIPAA. Technically speaking, there is no such thing as a HIPAA certified cloud provider. And so, it remains the ultimate responsibility of the covered entity to comply with HIPAA regulations – that is, unless you’ve found a cloud computing provider that goes above and beyond.
A good cloud provider should be well-versed in HIPAA compliance and have suitable options to ensure complete HIPAA requirements are met. Cloud computing providers who own the equipment they operate should be able to offer quick answers regarding specific guidelines for their internal, external and logical security controls.
What You Can Do
When selecting a cloud service provider to host your HIPAA regulated data, make sure to obtain an HIPAA-compliant Business Associate Agreement to ensure compliance with the same physical, administrative and electronic security requirements that the covered entity must also comply with. And remember these important rules:
- There is no “cloud certification” for cloud providers.
- You need to ensure data compliance no matter where it is stored.
- Your cloud provider should have all necessary controls and options available to comply with HIPAA’s regulations for information security.
- You should have a Business Associate Agreement with your cloud hosting provider that stipulates their understanding of HIPAA regulations and the manner in which they host patient information.
- A cloud solutions provider should be able to answer all questions in relation to HIPAA compliance, including security, personnel who have access, data storage location and data retrieval protocols.
Have a question of your own about Diverse Technology Solutions’ dedication to HIPAA compliance? Call us at 631-224-1200.