Demystifying HIPAA and the Cloud
Written by Joseph Lorenzo Hall
The term “cloud computing” popped up about five years ago to describe a relatively simple concept: the ability to consolidate and outsource computing resources to (often) external entities in order to take advantage of economies of scale, resulting in cheaper, more flexible, and more secure computing. Cloud computing enables many computing resources to be used much like a utility.
Today, cloud computing is an integral part of the high-tech landscape, from consumer-grade services like cloud email (e.g., Gmail), document storage (e.g., DropBox), and collaborative editing (e.g., Google Docs) to specialized enterprise services such as customer relationship management software (e.g., Salesforce.com) to full servers (e.g., Rackspace).
In the health care field there is a fair amount of uncertainty about adopting cloud services, especially around sensitive health data. However, while the use of computing resources to store and share sensitive health data always merits a thoughtful approach, there is nothing inherently dangerous about cloud computing. Health care organizations should be able to benefit as much as other sectors have from cloud computing.
One central point of uncertainty involved the application of the Health Insurance Portability and Accountability Act (HIPAA), which governs how health care organizations manage privacy, security, and potential data breaches of protected health information (PHI). To help answer some of these questions, CDT has prepared a set of Frequently Asked Questions (FAQ) on HIPAA and the cloud. Our analysis covers both basic and complex questions, including:
- What is cloud computing?
- Can health care providers choose to store protected health information (PHI) in the “cloud,” and why might they want to?
- Is a cloud service provider (CSP) a business associate under the HIPAA Privacy Rule?
- Does cloud computing remove the need for health care providers to worry about the data they store with a CSP?
- Can the government access PHI stored with a CSP for law enforcement and national security purposes?
- Can health care providers use general purpose, publicly available Internet services such as document, email, and calendar services to store PHI and still be in compliance with HIPAA?
Health care organizations need to incorporate the cloud carefully into their HIPAA compliance regime. Ignorance has proven damaging in the past: The Department of Health & Human Services (HHS) has so far brought enforcement action against one health care provider that misused cloud computing services in such a way that it errantly made protected health information publicly available. And recently, a health care provider in Oregon gave notice to thousands of patients when it discovered that employees were using a cloud-based spreadsheet that contained PHI to keep track of patients.
There are far more examples though of compliant and productive use of cloud computing in health care. These FAQs are intended to help providers maximize the benefits of cloud computing, while remaining in compliance with their HIPAA obligations. Cloud computing can be a great business solution for many health care providers, but be sure you know all the facts before signing up.