5 FAQs on HIPAA Compliance In The Cloud

The Cloud Is Viable For HIPAA Applications
To ensure the protection of patient data, the Health Insurance Portability and Accountability Act (HIPAA) lays out guidelines that all companies in the health industry must follow—from primary care providers to data-handling agencies and third-party vendors. HIPAA rules often are complex, however. As a result, some companies inadvertently make mistakes, and others simply remain noncompliant for a variety of other reasons, leaving them subject to penalties that could add up to millions of dollars. Here’s a look at five key FAQs about HIPAA compliance and cloud computing.

FAQ 1: What’s Covered Under HIPAA?
The short answer: just about everything. Any piece of data that contains personally identifiable information about a patient, any type of treatment plan, or even aggregate data samples that could be traced back to individuals is covered by HIPAA. Your best bet: Assume everything falls under the scope of the law rather than trying to pick and choose.

FAQ 2: Is Cloud Storage Acceptable?
Absolutely. There’s no requirement for HIPAA data to be stored on-site or handled by a specific agency. In fact, it’s not the cloud itself that’s the problem when there is a problem—it’s how data is transmitted, handled, and stored in the cloud that often lands companies in hot water.

FAQ 3: What’s the Difference Between Covered Entities and Business Associates?
A covered entity is effectively the “owner” of a health record—for example, the primary care facility that first creates a patient profile or enters test results into its electronic health records system. Business associates, meanwhile, include any other company that handles this data. This means that cloud providers, third parties that offer on-site IT services, or other health agencies that access this data all qualify as business associates.

FAQ 4: Who Is Responsible for Health Data in the Cloud?
Ultimately, the covered entity bears responsibility for HIPAA-compliant handling. While business associates also can come under fire for not properly storing or encrypting data in their care, it’s up to the covered entity to ensure they’re able to audit the movement, storage and use of their HIPAA data over time.

FAQ 5: What Does “HIPAA Compliant” Really Mean?
While there is no official “HIPAA compliance” standard or certification that providers can obtain, it’s worth looking for other certifications that indicate good data-handling practices, such as PCI-DSS, SSAE 16, ISO 27001 and FIPS 140.

In part two of this series we will take a look at some prevalent myths that are out there about HIPPA compliance and cloud computing.