HIPAA and Cloud Computing: What You Need to Know

Introduction

As a health care provider or business associate, you’re at the center of a confluence of forceful trends:

  • With the Affordable Care Act, more and more patients have access to car
  • HIPAA and supplementary laws and regulations demand rigorous protections of patient privacy and health care information security—and threaten severe penalties for those who fall short.
  • You need, as always, to maximize cost efficiency—which means, among other things, spending wisely on the information technology (IT) that’s integral to modern health care delivery and management.

This guide for health care administrators and IT managers summarizes what you need to know—and do—to help ensure that your email and other cloud IT services are in full compliance with HIPAA. And it describes how you can do so easily and cost-effectively.

It All Starts with Email

… because email communication is integral to everything you do as a healthcare provider. It connects your staff not just with patients and with each other, but with your many partners as well: insurers, pharmacies, specialists, service providers, and others.

Think how many emails you generate every day: appointments and referrals, insurance claims and authorizations, lab results and answers to patients’ questions, and more. How many contain HIPAA-protected patient health information? And how many of those sensitive emails pass beyond your own presumably secure network—to and from possibly insecure third parties, including your employees’ and partners’ mobile devices? Every such email is a possible point of regulatory vulnerability or violation.

Based on your status as a covered entity under HIPAA, your staff members are authorized to send and receive, amongst themselves, Protected Health Information, or PHI (or ePHI, when in electronic form). But your responsibility for protecting the confidentiality of such information and the privacy of your patients doesn’t stop there. Just like your email, it often goes beyond the security of your network.

HIPAA and HITECH: Rights for patients, rules for providers

Passed by Congress in 1996, the Health Insurance Portability and Accountability Act mandates a set of regulations protecting the privacy and security of patients’ confidential health information, including when and with whom that information can be shared.

A supplemental Privacy Rule regulates the use and disclosure of patient data— whether verbal, written, or electronic—for health care providers, health plans, and health care clearing houses, all known as covered entities. A Security Rule specifically defines security standards for the management of health information in electronic form (ePHI) by covered entities.

The Health Information Technology for Economic and Clinical Health (HITECH) Act (2010) and the HIPAA Omnibus Rule (2013) strengthens HIPAA’s privacy and security rules and toughens the penalties for breaches in patient privacy and health information security.

It’s important to note that covered entities are bound by HIPAA’s privacy standards even if they contract with others to perform some of their essential functions. In other words, your responsibilities and liabilities under HIPAA extend to all your business associates. This includes labs, billing offices, clinical services, and the like. It also includes the providers of your cloud- based IT services.

Is Your Email System Compliant?

Don’t assume that all business email systems are compliant. Many systems, including several well-known brands designed for professional or even enterprise-level use, are not.

Chances are, your internal email is safe on your own secure servers. And your email to and from third parties, including all email that qualifies under HIPAA as containing PHI, is probably encrypted, as required by the law. But encryption is not enough.

The HIPAA requirements for your email system and practices fall into three main categories:

  1. Access control and authentication. Each of your staff members must have a unique username and password for identification and tracking purposes. Shared logins are not permitted. Furthermore, you must have procedures for verifying that anyone seeking access to ePHI is who they claim to be.
  2. ePHI security and integrity, in storage and during transmission. You have to protect ePHI from being improperly altered or destroyed. Beyond storing ePHI securely, this means you must also have technical security measures, including encryption, in place to prevent unauthorized access by anyone who might, undetected, tamper with ePHI while it’s being transmitted out of your network.
  3. Audit controls. You have to have the hardware, software, and processes in place to record and monitor all logins to your health care information systems (including date, time, and IP address) and track all sent and received emails.

And remember, the same requirements apply to covered entities with whom you communicate and share protected information via email. In fact, they apply to any and all persons and organizations to whom you outsource any function essential to your business. Especially cloud IT providers.

Beyond Email: File Sharing and Syncing

Of course, your handling and use of confidential patient health information is not just a matter of email content and attachments.

Ours is an age of digital health records and specialized, collaborative health care and administration. To deliver the best care efficiently and economically, multiple parties, both within and outside your organization, need access to your patients’ electronic health information. But that imposes a complex set of requirements on your IT systems, including:

  • Security. Again, HIPAA imposes an absolute responsibility for maintaining the privacy and confidentiality of patients’ health records, both at rest and in transit. This means you have to provide and control multiple levels of access to that information for the many people who collaborate on patient care and related services—that is, your many diverse partners as well as your staff. And you have to be able to monitor and audit all health information file access, use, and change both inside and outside your organization.
  • Integrity. To secure ePHI from improper change or destruction, you must control not only who has access to what information but also who can change a file and when.
  • Mobility. Mobility has come to medicine. You may already deploy authorized mobile devices, such as wifi-connected cart-based PCs in hospital wards and personal tablets for clinicians. Chances are, more and more employees want and need to connect with your network-based applications and files from mobile devices, whether issued by you or purchased by them (a trend known as BYOD, or bring-your-own-device). Mobility adds another significant layer of complexity to the task of providing secure, HIPAA-compliant file access (as well as email).

Command and Control: Your Responsibility—and Your Best Protection

It’s not as if you wouldn’t want total command and control of your email, patient information, and other systems in any case. It’s just that, under HIPAA, it’s the law— and a very exacting law at that.

Again, it goes beyond email. Under HIPAA regulations, you must be able to track and report on all emails sent outside your network. But you also have to track and verify access to ePHI at every attempt. In fact, you must have systems and procedures in place to record and analyze all activity in your systems that store or use ePHI.

Such audit and reporting capabilities are not just your responsibility. They are also your best protection. They enable you to maintain your systems’ performance and compliance at peak levels and spot vulnerabilities before they blossom into problems. And they give you the data you need to demonstrate your compliance in the event of an external audit or inquiry.