HIPAA Compliance: How the Cloud Can Be Compliant

With the increasing mobility of our society, it’s becoming increasingly evident that we will need technology that’ll be as mobile as we are. Cloud-computing software or, in general, software as a service (SaaS), tends to be a much more cost-effective solution than having a full staff of IT professionals. It allows data to be accessed by any client (usually a browser) connected to it (though typically, it requires credentials to access), and as such it’s a tool with a high versatility. The law itself is the Health Insurance Portability and Accountability Act, which implies that cloud computing might be a major factor in these laws. However, at the time that HIPAA became law, cloud computation was quite different from how it functions today, and as such some of the laws crafted by HIPAA had to be further refined in the Health Information Technology for Economic and Clinical Health or HITECH act.

Why is cloud computing so appealing, and how can be compliant with these laws? What makes cloud computation something that might not only be alluring cost-wise, but in some of the ways that it can immediately fulfill some HIPAA requirements. For example, there’s an immediate fulfillment of some of the rules (contingency plans, for example, as data is backed up and access to data can be brought back online quickly). (2) Depending on access credentials, the cloud can be mobile to almost anywhere, which makes it even more accessible to patients and the healthcare system as a whole.

However, because cloud-based data is centrally located and can be accessed via the internet, companies can often feel concerned with security and privacy. The rapid-fire nature of how data within these clouds changes and the ease with which it might be accessed means that theoretically, it could easily be compromised if steps aren’t taken to secure it. Furthermore, companies could be concerned about possible breaches and lack of proper notification when they occur. They might also feel concern for how their data can be deleted on a cloud-based service where it could potentially be stored for a long period of time, especially if they have a subscription-based contract with the service. Finally, there might be concerns about how easily the cloud can move amid different operating systems or devices. (4)

Cloud computing can also allow passwords or PINs to be entered in order to alter/view PHI, or can require certain biometrics (information such as fingerprints or retinal scans) to be entered before it can be altered or viewed. Because this can be particularly difficult to come by (ignoring all the science fiction movies where it’s as simple as getting a subject to speak a few words), this can be a particularly solid way to keep PHI private. Another (arguably more low-tech) way that information can be kept private is by the system automatically logging off after a computer is left alone for a certain amount of time. This then requires logging back in with a certain PIN or password and can be quite effective as a tool to keep PHI safe. HIPAA originally set up a policy of having physical barriers to prevent access to protected health information.

Now, however, rather than a physical barrier (such as shutting away servers in a locked room), cloud server data offers a technological barrier by having encryption both at rest and in transit. (2) Encryption, both mobile and resting, are both used by cloud-based services, which adds another layer of security from hackers.

Cloud services also easily enable administrative users to change the access privileges of any users they feel should or shouldn’t see the information available. This might be particularly useful for verbal reporting to larger companies that could have exported their testing to a smaller laboratory, or one that has some members authorized to make changes to existing PHI while others cannot. This, again, allows compliance with HIPAA laws, which say that “covered entities [need] to evaluate their practices and enhance safeguards as needed to limit unnecessary or inappropriate access to and disclosure of protected health information” (3). Additionally, because many cloud services maintain access logs, unauthorized access and possible data breaches can be detected that much more quickly, allowing for accountability and confidence in a cloud-based system.

Additionally, there may be concern about data leaking from the cloud and revealing protected health information (PHI), and though many computing services recommend removing identifying information (1), this can make it harder for healthcare companies to identify patient tests. However, de-identifying patient samples or tests has already been used in the healthcare industry since HIPAA was introduced, so software that can aid in the speed of this being done should be seen not as a hindrance, but a benefit of some cloud-based systems. Some companies prefer to have a limited data approach, which involves only two major identifiers of a patient to be used (whereas 18 is considered the full amount of personally identifying information).

Cloud vendors are also required to inform healthcare providers and laboratories of any breaches expected or that have happened while using their data services. This is also kept up to date in maintenance logs, which helps prospective companies wanting to purchase cloud software as a service (SaaS) and satisfies any third party auditors. These maintenance logs help to demonstrate how frequently the software is checked for bugs or insufficiencies which can help establish trust in a particular company.

Any Cloud Service Providers (CSPs) that enter into contracts with companies have to be able to delete or return electronic health records when contracts with healthcare providers are terminated. If this isn’t possible, then contracts must be extended until such a time when this is possible. Cloud services now often provide the ability to further encrypt the data prior to deletion, which gives another level of security to deleted PHI. (5) Some can mark items for permanent deletion and thus completely remove them from the data cloud.

Healthcare companies may feel concerned about whether or not their system could operate cloud-based systems, based on differences in OS. For some SaaS, this makes sense, but for web-based cloud applications, so long as the web browser is updated, then the cloud is accessible. In particular, this can make concerns about cross-platform computing disappear, because the cloud is accessible so long as there’s internet.

However, in cases where your business chooses to enter into an agreement with a cloud service provider (CSP), you must enter into a business associate agreement (BAA). This is a contract that outlines all of the rules and regulations a business (in this case, a cloud service provider) should follow in order to have a business relationship with your company. Failing to do so violates HIPAA law, and can result in huge fines, as well as confusion among business associates. The only case in which it is acceptable to not enter a BAA with a CSP is if the only information it stores is de-identified.

While it may seem troubling to put a lab’s trust into software that has the potential to be changed on a whim, part of what makes cloud software appealing is the fact that it is fast and mobile, allowing people to keep patients up-to-date on their own health. Not only this, but cloud software often works excellently within a limited budget, but can still follow HIPAA guidelines, as demonstrated above. As such, a cloud-based approach should absolutely be considered both viable and perfectly legitimate.


Citations: (1)- Klein, C. A. 2011.Cloudy Confidentiality: Clinical and Legal Implications of Cloud Computing in Health Care” J Am Acad Psychiatry Law 39:571– 8. Retrieved from https://pdfs.semanticscholar.org/7f8f/62ea4ecf5b3a8983b5c619c2ec7c13d9c0d8.pdf

(2)- Wang, L. Alexander, C. A. August 2014. Medical Applications and Healthcare Based on Cloud Computing“ International Journal of Cloud Computing and Services Science (IJ-CLOSER). Vol 2. No. 4. Pp217-225 Retrieved from https://www.researchgate.net/publication/275405581_Medical_Applications_and_Healthcare_Based_on_Cloud_Computing

(3)- Minimum Necessary Requirement from HIPAA guidelines, retrieved from https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/minimum-necessary-requirement/index.html

(4)- Ahuja, S. P. Mani, S. Zambrano, J. Sep 19th 2012. “A Survey of the State of Cloud Computing in Healthcare” Network and Communication Technologies; Vol. 1, No. 2; 2012  

(5)- Compton, A. Dec 10 2014.Assured Deletion in the Cloud” Retrieved from http://www.cs.tufts.edu/comp/116/archive/fall2014/acompton.pdf