Are All of Your Cloud-Service Providers HIPAA Compliant?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) established standards to ensure the security of electronic healthcare records and transactions. For most organizations, navigating the complex requirements of this and other privacy acts remains a daunting challenge, especially as the cloud becomes home to ever more data.

While HIPAA was designed primarily to standardize the use of electronic healthcare information, Congress also realized that technology advances could affect the privacy of health information. Rules were created to regulate the types and uses of personally identifiable health information, and the act also identified required disclosures to customers about the use of their data.

The rules apply to “covered entities,” which are defined to be health plans, healthcare clearinghouses, and healthcare providers who electronically transmit any health information. However, the list of those who must comply with the rules also includes those with whom the covered entity does business to carry out their services.

Therein lies the problem. If you are required to be “HIPAA compliant,” everyone with whom you do business who handles your data must be as well. Your organization must have procedures to determine whether the services you use also have HIPAA-compliance practices.

As more businesses deal with many providers of all kinds of services in the cloud, keeping your business insulated from data breaches, HIPAA audits, and noncompliance fines becomes a major issue. And all parties have yet to realize just how HIPAA requirements will impact the development of new technologies, which will, in turn, impact medical practices.

Adobe has addressed this issue by implementing a framework of security controls for the Adobe Marketing Cloud known as the Common Controls Framework (CCF). This combines security requirements from sources such as SOC2, ISO27001, PCI, HIPAA, and FedRAMP into a standard framework that is applied to all of our cloud products, services, platforms, and operations. Using the CCF, many of our cloud products and services have achieved SOC2, ISO27001, HIPAA, and even FedRAMP certifications. These are major accomplishments and milestones for Adobe’s cloud services and products that will allow us to provide our customers with assurances that their data and applications are more secure.

Organizations in the healthcare space are under tight regulations to adhere to privacy and HIPAA laws, as the implications of being non-compliant are severe. Adobe sees this, along with other security mandates, as being critical for many of our customers across all verticals. Although Adobe has achieved some of the top compliance and security standards thus far, as time goes on, we will continually strive to obtain more certifications and adhere to regulations across the globe.

Protection if You Use Distributed Cloud Services

If you use distributed cloud services, rather than an integrated platform like ours, how can you be sure that they are HIPAA compliant? Technology news provider, eWeek, provided some helpful ideas.

  1. Your cloud provider must be able to give you a Business Associate Agreement (BAA) that clarifies its HIPAA compliance and makes it subject to the same accountability that you are.
  2. Since there are no official government-sponsored HIPAA certifications, the only way you can be sure of a cloud provider’s compliance is through an audit from an independent organization. For security purposes, determine whether they have some of the certifications that we have at Adobe.
  3. Make sure your cloud-service provider gives you guaranteed response times in the event of a security incident. Otherwise, you might be in violation of HIPAA guidelines.
  4. Your cloud provider should encrypt your data everywhere in the system — not just while it is in transit, as the HIPAA rule states. Make sure it has at least the Advanced Encryption Standard 256, which is the level enforced by federal agencies.
  5. Your cloud provider should have the expertise to secure databases of all kinds, including those that span inter-cloud networks with older applications. “Born in the cloud” providers may not have this level of expertise.
  6. HIPAA does not define what it means by “regular” audits, so make sure your agreement with your cloud provider specifies the type and frequency of reviews, audits, and reporting.
  7. HIPAA has administrative requirements as well. New employees must be trained, and policies must be reviewed among staff regularly. You should review the administrative policies of your cloud provider.
  8. Make sure that adequate security practices are in place at the actual datacenter that houses the cloud provider.
  9. Your cloud provider should be able to give you the results of its compliance with the standards set by the Department of Commerce (National Institute of Standards and Technology). These standards are the minimum requirements for the federal government.
  10. HIPAA requires a disaster-recovery plan. Make sure that your cloud provider has a plan for protecting information in all manner of disaster and emergency.

A secure, integrated platform provides many benefits, especially when it comes to HIPAA compliance. If you must distribute your data functions across multiple cloud services, your complexity increases, and you have to work harder to insure compliance. Be sure to have a dedicated department within your IT organization to manage the HIPAA accountability of your data partners. The key is to associate yourself with providers who protect your data as if it were their own.