HIPAA Compliance for the Cloud
Attaining Health Insurance Portability and Accountability Act (HIPAA) compliance is critical for any business that must protect electronic personal health information (ePHI), especially when data is stored and processed in the cloud. This is an introduction to the protection of that data.
Security and compliance around personal data has been on the rise as more individuals become familiar with new and old legislation on the topic. In 1996, Health Insurance Portability and Accountability Act (HIPAA) was created to address the concerns of data security in the healthcare industry. In this blog post, we take a deeper look at the five sections of HIPAA, what it means to be compliant and more specifically, how to adhere to HIPAA compliance in the cloud.
What is HIPAA?
President Bill Clinton signed HIPAA into law to keep patient data and records secure. The act includes five titles:
- Title I: HIPAA Health Insurance Reform
- Title II: HIPAA Administrative Simplicity
- Title III: HIPAA Tax-Related Health Provisions
- Title IV: Application and Enforcement of Group Health Plan Requirements
- Title V: Revenue Offsets
When considering the cloud and cybersecurity, Title II is the primary focus for maintaining HIPAA compliance.
Five HIPPA Compliance Requirements
Title II includes the following compliance requirements:
- National Provider Identifier Standard—each healthcare entity (for example, individuals, organizations, and health plans) must have a unique 10-digit National Provider Identifier (NPI)
- Transactions and Code Sets Standards—healthcare organizations must use the standard mechanism for Electronic Data Interchange (EDI) when managing insurance claims
- HIPAA Privacy Rule—the Standards for the Privacy of Individually Identifiable Health Information; this rule sets the standards to protect patient health information
- HIPAA Security Rule—the security standards for the electronic protected health information (ePHI), outlining standards for patient data security
- HIPAA Enforcement Rule—this rule provides guidelines for investigating HIPAA violations
In summary, Title II is a collection of standards and practices that organizations can leverage to quickly identify where non-compliance takes place.
HIPAA Compliance and Standards
Unlike other standards, HIPAA compliance is not a one-off certification or one that only needs annual audits and reviews. Instead, it requires continuous monitoring and upkeep, as you can be reported for non-compliance by anyone at anytime. Don’t fret, staying HIPAA compliant in the cloud is becoming increasingly easier due to the US Health Department’s (HHS) Office for Civil Rights (OCR) recognizing that more guidelines are needed for the growing cloud industry. In Title II, the Privacy Rule and Security Rule are key to cloud service providers (CSPs). The HHS also enacted the HIPAA Omnibus Rule to include requirements that were previously missing, including the Breach Notification Rule, which is a vital rule for CSPs. As the name suggests, should there be any breach of the Privacy Rule, regarding to patient health information, organizations need to notify the affected individuals, the Secretary, and if relevant, the media.
In the guidelines for the three rules most critical to CSPs, the HHS encourages a flexible and considerate approach, given the many variations of the cloud and the services provided, such as a no-view service with no read access.
HIPAA Considerations for the Cloud
It’s useful to begin with a quick glossary in terminology, as we understand that legal jargon isn’t in everyone’s vocabulary. On the HHS website, you’ll often see the following terms, so let’s break them down into plain English:
- Covered Entity = Health Plan, Health Care Provider, or Health Care Clearinghouse. Essentially, any parties and businesses involved in the medical claim from inception and validating, to submission and payout.
- Business Associate = Any third-party business to a covered entity, such as a CSP, that deals with ePHI, including creating, maintaining, or transmitting it.
- Business Associate Agreement (BAA) = The agreement between the covered entity and business associate, stating that the business associate (for example the CSP) is directly liable to stay compliant to HIPAA.
HIPAA Security Rule Considerations
Any CSPs that are considered a business associate must comply with the Security Rule and its specific management of ePHI. It’s important to note that even if only encrypted storage is provided with no decryption keys, CSPs are still required to comply with HIPAA because they are still managing the data.
However, within the Security Rule, if there is full agreement of both parties under the BAA, it’s possible that areas of compliance can be satisfied from just one party’s actions.
For example, the business associate, Acme Cloud Store Inc., and the covered entity, Happy Body Healthcare, have a BAA that states that all access control responsibilities are managed by the customer. Under this agreement, Acme Cloud Store Inc. provides a service that maintains ePHI through encryption and has a strict no-view policy. Its customer, Happy Body Healthcare, uses multi-factor authentication (MFA) to fully control who can access the sensitive information.
In this example, the customer is only responsible for managing the access to ePHI. In order to satisfy the requirements of the Security Rule, Acme Cloud Store Inc. is still required to employ its own strict access policies to the infrastructure hosting the ePHI.
HIPAA Privacy Rule Considerations
According to the Security Rule, a CSP can only use or disclose ePHI as per the BAA, the Privacy Rule, or any other legal requirement. This extends to those with a no-view policy, like Acme Cloud Store Inc., who could not read the data and had no control over who accesses the information.
It’s also important to note that under the Security Rule, Acme Cloud Store Inc. must include a secure process for individuals to access, change, and receive their own ePHI. There is a fine line drawn in the Privacy Rule, as individual access and amendments to ePHI must be maintained. However, it’s imperative to remember that it is not permissible for the CSP to entirely delete the data or block access to its customers on behalf of that individual.
HIPAA Breach Notification Rule Considerations
It’s clear that notification is essential on nearly all occasions of a breach. However, there are a couple of scenarios where notifications are unnecessary.
The first is if the encrypted data that has been breached is encrypted to the standards of HIPAA. This type of breach is considered “safe harbor”, where disclosure to the customer is unneeded.
The second scenario where notification is inessential, is dependent on what is legally considered a breach. According to Cornell Law School, the definition of a breach excludes any access to (authorized or not) or use of information, which was done in good faith and not further used unlawfully. It is also not considered a breach if the unauthorized person wouldn’t have been able to retain the information. Understandably, this can create detrimental ambiguity in your processes or systems—consulting with appropriate legal counsel is highly recommended.
How to Stay HIPAA Compliant
As part of a greater effort to help aid HIPAA compliance within the cybersecurity space, the OCR aligned HIPAA with the National Institute of Standards and Technology Framework (NIST). As one of the biggest standards in the industry to be recognized, if you are already NIST compliant, it is subsequently easier to be HIPAA compliant.
To ensure that high standards and awareness are maintained, many businesses provide HIPAA compliance training and credentials. There are many consultancies that provides training, including the OCR, which offers different training modules to accommodate the wide-range of entities that must comply with HIPAA.
Trend Micro Cloud One™ – Conformity is a compliance service that helps organizations understand where HIPAA compliance affects their infrastructure and how to maintain the high standards necessary to keep the risk of breaches and consequent fines as low as possible.
The platform performs nearly 1,000 real-time cloud infrastructure configuration checks, aligned to the design principles of the Amazon Web Services (AWS) and Microsoft® Azure® well-architected framework. These checks are performed on your cloud accounts, with customizable alerts that can filter out HIPAA-relevant results. Conformity also allows you to quickly rectify any check violations utilizing simple, step-by-step remediation guides.
Examples of high-risk AWS HIPAA checks run on Conformity:
- Publicly Accessible RDS Instances
- Enable Amazon Simple Storage Service (Amazon S3) Bucket Default Encryption
- Amazon Elastic Compute Cloud (Amazon EC2)—Unrestricted Outbound Access on all Ports
Conformity offers continuous assurance that your CI/CD pipeline is secure and HIPAA compliant from inception, through to initial deployment and ongoing maintenance.
Take a look at your security posture using the free 30-day trial, which provides you with full access to the service, including real-time monitoring, auto-remediation, and cost-optimization.