When it comes to HIPAA compliant solutions, security, and cloud adoption, what most find frustrating is how to sort the myths from reality. The “addressable” requirements of the security rules tend to be the most difficult to meet. Thus, these addressable requirements have a tendency to fall off the radar, and could therefore create issues with compliance.
Under the HIPAA Omnibus Rule, business associates, which include many public cloud computing providers, are now directly liable for HIPAA compliance. This rule also covers what associate agreements need to be in place, with a clear responsibility outlined for who will protect the data.
So, the trend has been to rethink the role of cloud computing, by those charged with HIPAA security and policy. At its essence, this means understanding the existing requirements, and then understanding how the emerging use of cloud computing could provide compliant and secure HIPAA solutions.
Cloud computing has the potential to improve upon the best practices and technology that exist today. Those healthcare organizations that have been reluctant to move IT assets to public cloud, or managed services providers, now see a day when there will be little option but to leverage these services. Budgets are always tight, and the practice of building new data centers as healthcare organizations expand is becoming a bit tiresome to the boards of directors that pay the bills.
So, consider the next few years to be a bit of a forced marriage between cloud computing, manage services providers and their need to deal with healthcare compliance issues such as HIPAA. Both the regulators and the healthcare organizations need to work closely together to insure that the resulting solutions don’t place patient data at risk, nor run afoul of the law.
Things are certainly scary. Last year, breaches at Oregon Health & Science University involved the illegal storage of unencrypted patient information on a public cloud provider. These types of events put focus on the issue of how the emerging regulations, such as the HIPAA Omnibus Rule, affect cloud vendor compliance.
So, what’s an underfunded healthcare IT shop suppose to do to insure that they remain HIPAA compliant, as well as bring both agility and efficiency to their organization through the use of cloud computing? Here are a few suggestions:
First, create a HIPAA cloud strategy that defines the approaches, agreements, and target technology providers that you would like to leverage. Make sure to note costs, as well as do a quick business case study.
Second, make sure to understand the risk, and the need for both security and governance. Many healthcare organizations think that technology will save them. However, it’s more about the people and processes, and then the technology.
Finally, make sure to build outside validation and auditing into the process to make certain all of the agreements and technologies are up-to-date, and that the risk is as low as you can reasonably make it.
This is actually not that difficult to figure out, when you dig deeper into the issues. However, like any other technical changes that require an assessment of legal issues, it’s a bit nerve-racking at first.
By David Linthicum