“Cloud Privacy and Security.  Threats challenge healthcare providers.”

Advance for Health Information Professionals by Adam Greene and Mac McMillan

Using cloud technology continues to be a popular solution in the healthcare industry but doing so poses some security threats and can make HIPAA compliance even more challenging for healthcare providers.  Adam Greene, Chair of HIMSS Cloud Security Workgroup and Mac McMillan, Chair of HIMSS Privacy & Security Task Force recently addressed this topic in an article featured in Advance for Health Information Professionals.  They first explain that privacy and security threats are dependent upon if you are using the cloud as a SaaS, PaaS or IaaS.  There are many different challenges to the cloud such as “reliability, availability, and loss of service”, “impermissible access related to multi-tenant sharing of assets without proper controls”, and “access management”.

Greene and McMillan also address the HIPAA compliance challenges with using a cloud vendor.  Until recent, many cloud providers did not know if they were a business associates (BA) or if they needed a business associate agreement (BAA).  Many vendors claimed they were not a BA and were only a “conduit” of information.  This was finally somewhat clarified last year in a settlement agreement between HHS and a physician practice that was using a cloud SaaS service.  They did not have a business associate agreement with the cloud service providers and HHS decided that they were considered a BA.  Greene and McMillan add that the Omnibus Rule that took effect in March also helped provide clarity of cloud vendors being a BA since the rule defined who is considered a business associate.  They point out there might be one exception where an entity doesn’t need a BAA with a cloud vendor.  It might not be necessary if the data is encrypted on could provider’s server and they do not have an encryption key.

According to Greene and McMillan, obtaining a BAA is not the only challenge with HIPAA compliance when using a cloud vendor.  Healthcare providers need to identify any risks the cloud vendor can pose when conducting a risk assessment under the HIPAA Security Rule.  Furthermore, the healthcare provider should also be aware of how the cloud vendor is using and disclosing their sensitive data.  To learn more or read the entire article click here to visit Advance for Health Information Professionals.