Although the HIPAA doesn't make any specific reference to the cloud, it is a completely different IT environment from the on-premises data center—with different compliance challenges. Learn some of the key HIPAA considerations when you host your healthcare workloads in the cloud.
Wiz Experts Team
7 min read
The Health Insurance Portability and Accountability Act (HIPAA) affects many different types of organization in the U.S. healthcare industry—from healthcare providers and health insurance companies to billing services and developers of mobile applications for use in patient care.
The main purpose of the regulation is to help organizations safeguard highly sensitive patient information through a range of mandatory data security and privacy controls.
But another key objective is to improve efficiency across the healthcare system. That's why so many organizations operating within the sector are now looking to exploit the cost-saving benefits of the cloud.
I'm a doctor, I take care of people, I was trained in preventative medicine. Wiz is like preventative medicine for us.
Alex Steinleitner, President & CEO, Artisan
The cloud also delivers many other advantages over on-premises infrastructure. For example, it provides them with highly scalable storage, making it ideal for large volumes of patient data. It is distributed infrastructure, which facilitates the sharing of patient data across the healthcare ecosystem. And it offers robust offsite backup and failover solutions that help ensure optimum availability of critical health information.
Although the HIPAA doesn't make any specific reference to the cloud, it is a completely different IT environment from the on-premises data center—with different compliance challenges.
This post walks you through some of the key HIPAA considerations when you host your healthcare workloads in the cloud. But first let's start with a brief overview of the regulation.
The HIPAA is a set of regulatory standards that cover healthcare providers and healthcare businesses in the United States. It came into force in 1996 and set out to modernize the U.S. health system through a number of wide-ranging goals—from streamlining healthcare administration to ensuring uninterrupted health insurance coverage for employees who lose or change their job.
The most widely referenced part of the legislation is Title II: Administrative Simplification, which sets out a number of rules in relation to the handling of protected health information (PHI). PHI covers patient information, such as:
dates of birth
social security numbers
details about health conditions
the care people receive
This information can be in any form—in electronic format, a paper record, or verbally communicated.
Those organizations that directly manage PHI as part of the service they provide are known as covered entities. The HIPAA defines these as healthcare providers, health plans, and healthcare clearinghouses.
However, covered entities often use the services of other individuals and organizations. In cases where such providers handle PHI on behalf of a covered entity, they are known as a business associate (BA).
For example, a mobile application developer would be classed as a BA if it offered solutions, such as health monitoring apps, which involved the use of PHI. A cloud service provider (CSP) would likewise be considered as a BA if it were used for processing and storing PHI.
Every BA must enter into a contract with the covered entity. This is known as a business associate agreement (BAA). It spells out the measures the BA must take to safeguard PHI from unauthorized access or disclosure in line with HIPAA guidelines.
The two most important HIPAA Title II rules in relation to your compliance and security responsibilities are as follows.
The Privacy Rule aims to strike a balance between the role of data in providing treatment and the protection of patient privacy.
It serves three main purposes.
First, it specifies the circumstances under which a covered entity may use or disclose an individual's PHI. Secondly, it gives patients right of access to their PHI. And, thirdly, it permits the sharing of PHI with other HIPAA-covered entities to ensure all parties involved in a patient's treatment have access to the information they need to provide an optimum level of care.
HIPAA Security Rule
The Security Rule focuses on ensuring the confidentiality, integrity, and availability of PHI that's stored and processed electronically.
It takes a risk-based approach to data protection, taking into consideration the risks to PHI, the likely impact of any incident, and the resources a covered entity or BA has at its disposal.
The National Institute of Standards and Technology (NIST) has published a document explaining how to implement the rule in practice. Although voluntary, compliance with the guidelines will help ensure your physical, administrative, and technical safeguards are aligned to Security Rule provisions.
The U.S. Department of Health and Human Services Office for Civil Rights is responsible for enforcement of both Privacy and Security Rules and has the power to issue penalties for violations.
However, there is no official certification for HIPAA compliance. So when a third party states that it is HIPAA compliant, it simply means it provides you with all the controls and tooling to help you meet the regulation's requirements.
When an organization hosts PHI in the cloud, responsibility for the security, integrity, and availability of that information is shared between the covered entity or BA and the CSP. In other words, they share responsibility for HIPAA compliance.
Both parties must conduct a risk analysis of the PHI they handle. This helps them not only determine the measures they need to take to protect it, but also understand how responsibilities are shared between both parties.
Once both parties have clearly established each other's roles and responsibilities for meeting Security Rule requirements, they should document them in the content of the BAA between them.
Larger CSPs, such as AWS, Microsoft Azure, and Google Cloud Platform, often have standard BAAs, which are available on request or written into their terms and conditions. If you're using the services of such a CSP then you should thoroughly check which solutions are covered by their BAA and, ideally, disable those services that are not included.
In some cases, a CSP will use one or more third-party solutions as part of the service it delivers. Such solutions must also comply with the HIPAA. This must be stipulated in the BAA to ensure end-to-end compliance coverage.
3. Service-level agreements (SLAs)
Before entering into a business relationship with a CSP, you should check that their SLA meets HIPAA expectations for service availability. It should promise near 100% uptime and meet your recovery time objective (RTO) and recovery point objective (RPO) to be sure of fast recovery and minimum loss of data in the event of unexpected downtime.
You should also check that the SLA is consistent with both your BAA and the HIPAA. For example, you should pay due consideration to terms relating to use, retention, and disclosure, security responsibilities, and how data will be returned to you on termination of service.
If a CSP hosts encrypted PHI on your behalf then it is still classed as a BA even if it doesn't have access to the encryption keys and is therefore unable to view the data. This is because it still has to meet HIPAA requirements for maintaining the integrity and availability of such data.
However, under such circumstances, its obligations will be limited, leaving you accountable for much more of the shared responsibilities between you.
And, finally, be aware that you must encrypt patient data, both at rest and in transit, using an encryption algorithm that meets NIST requirements.
5. Data classification
Data classification will help you establish what information in your data inventory comes within the scope of the HIPAA and therefore requires an appropriate level of protection.
However, this is a time-consuming and complex manual process, which is prone to human error. A new generation of data discovery, mapping and classification tools, on the other hand, can automatically scan and analyze your data to ensure fast, efficient and accurate detection of sensitive patient information.
They can also do so across a wide range of different data repositories, in both structured and unstructured form, to ensure full coverage across both cloud-based and on-premises infrastructure.
Cloud storage solutions that support HIPAA compliance will offer a full range of features to help ensure the confidentiality, integrity, and availability of your data. They should include functionality such as:
robust access controls
activity logging and monitoring
immutable backups and snapshots
However, whether it's storage or any other service you use in the cloud, configuration is key to HIPAA compliance success. Because security capabilities are pointless if you don't configure them correctly.
Solutions to support HIPAA compliance
Privacy, security, and compliance are highly interrelated disciplines. So it makes sense to address these responsibilities using a single centralized solution.
In other words, tooling that not only provides capabilities to protect your information assets, but also maps your security posture against the provisions of laws such as the HIPAA.
Healthcare security solutions should help you identify compliance violations across a comprehensive array of controls. They should support a risk-based approach to security, in line with the underlying principle of the HIPAA Security Rule. And they should automatically benchmark your cloud deployments against a wide range of other compliance frameworks—so you can meet the requirements of many other regulations and standards from a single point of control.
Wiz is a unified cloud security platform that includes automated compliance assessments against industry standard regulations and benchmarks, including HIPAA. Wiz continuously assesses your compliance posture across frameworks, projects, and subscriptions, and provides you with a comprehensive report of your findings.
Wiz can help you achieve HIPAA compliance by:
Providing you with visibility into your cloud environment, including all of your assets, configurations, and activities.
Identifying and assessing risks to your HIPAA compliance, such as misconfigurations, vulnerabilities, and unauthorized access.
Recommending remediation steps to mitigate risks and improve your compliance posture.
Generating compliance reports that you can use to demonstrate your compliance to auditors and regulators.
Ensure patient trust with best-of-class security
See why CISOs at healthcare organizations trust Wiz to secure their cloud environments.