HIPAA Cloud Hosting Requirements
What Are the Requirements?
The HIPAA regulation has a long laundry list of defined parameters for data security and storage of patient information. This includes encryption, detailed physical security and access control measures, specific backup requirements and perimeter network security and monitoring specifications, just to name a few.
HIPAA’s New Business Associate Regulation
HIPAA’s “Business Associate Agreement” was implemented on Sept. 23, 2013. A business associate is defined as a person or entity (other than a member of the workforce of a covered entity) who performs functions or activities on behalf of, or provides certain services to, a covered entity that involves access by the business associate to protected health information. A business associate is also a subcontractor that creates, receives, maintains or transmits protected health information on behalf of another business associate. HIPAA rules generally require that covered entities enter into a contract with their business associates to ensure they will appropriately safeguard protected health information.
Part of the reasoning for this regulation is to ensure patients’ privacy regardless of where their information is stored—including the cloud. HIPAA is now holding all parties that come in contact with patient data responsible in the event of a breach. When the business associate and covered entities are held responsible, they are more likely to take the necessary security measures to protect themselves and the stored information.
So, How Many Cloud Providers Are HIPAA Certified?
How many cloud providers are actually HIPAA certified? Exactly zero. That’s right; if you’re looking for a cloud storage provider that is certified as HIPAA compliant, you won’t find any because there are none. There is no certification for a cloud provider to become HIPAA compliant. In fact, there are exactly zero rules or regulations for cloud providers with respect to HIPAA. And so, it remains the ultimate responsibility of the covered entity to comply with HIPAA regulations no matter where you store your data.
What You Can Do
When selecting a cloud service provider to host your HIPAA regulated data, make sure to obtain an HIPAA-compliant Business Associate Agreement to ensure compliance with the same physical, administrative and electronic security requirements that the covered entity must also comply with. And remember these important rules:
- There is no “cloud certification” for cloud providers.
- You need to ensure data compliance no matter where it is stored.
- Your cloud provider should have all necessary controls and options available to comply with HIPAA’s regulations for information security.
- You should have a Business Associate Agreement with your cloud hosting provider that stipulates their understanding of HIPAA regulations and the manner in which they host patient information.
- A cloud solutions provider should be able to answer all questions in relation to HIPAA compliance, including security, personnel who have access, data storage location and data retrieval protocols.
- You need to have defined and documented IT security policies as guideline for your cloud provider follow and enforce regulated security parameters.
Have a question of your own about Diverse Technology Solutions’ dedication to HIPAA compliance? Contact us today.