In today’s fast-paced business world, cloud-based services are taking over. These services are identified with terms like “platform as a service” (PaaS), “software as a service” (SaaS), and even “infrastructure as a service” (IaaS). Each of these refers to a service based in data centers that you access through the internet—as opposed to local servers in your work environment. It is only natural that the healthcare industry would aim to take advantage of this, cutting down on IT costs and increasing accessibility to protected health information (PHI).
As an IT person jumping down the HIPAA rabbit hole, I learned that compliance is not as easy as ticking a checkbox or purchasing a software license. Here are some things to consider about the purchase and use of cloud-based services with HIPAA compliance:
1. Compliance is not built-in, it’s configured.
To appeal to the healthcare industry, cloud-based services started making products that can be HIPAA compliant. Note that I said, “can be” and not “are.”
This is an important distinction when shopping for services like email and storage. Very few, if any, cloud services will be meet HIPAA standards right out of the box. As an IT admin, you will need to configure the service settings yourself and maintain those settings to stay compliant. Here is a great resource with tips on meeting HIPAA standards, although it is not a definitive guide: https://www.hipaajournal.com/hipaa-compliance-checklist/
2. You need a Business Associate Agreement.
Since these cloud services will be hosting or transmitting PHI, you need a Business Associate Agreement, or BAA, with that service. This agreement means that you share the responsibility of meeting HIPAA standards. If the service mishandles PHI data, you are not on the hook for it. Without this agreement, your company puts PHI at risk and could be heavily fined.
3. There is no such thing as certifying HIPAA compliance.
The U.S. Department of Health and Human Services does not recognize any HIPAA certification as a mark of compliance. However, it’s certainly beneficial that your employees are trained in HIPAA knowledge and practices. There are even companies like ComplySmart that will provide a HIPAA assessment to guide you in the right direction. Keep in mind that no certification nor assessment is enough to guarantee your compliance with HIPAA.
4. Compliance is not “set it and forget it.”
You’ve gone through your checklist, you got your BAA signed, and your employees are educated on HIPAA standards and best practices. You’re all done, right? For now, yes. But you need to always keep an eye out for new cybersecurity threats, so you can protect your servers and workstations, and make sure employees are trained on best practices for safe usage of these services. There is no patch for human error, but you can provide training and audits to ensure your PHI is being handled correctly.
Whether you’re searching for a new cloud service or you have one already, keep these tips in mind to ensure your information is safe. The cloud is an incredibly useful tool for the healthcare industry; you just have to do your due diligence to protect the rights and privacy of your patients and their information.
This post was edited by Lindsey Stefan.