“Don’t worry, I verified that Amazon Web Services (AWS) provides HIPAA compliant cloud storage. That means we can use it, right?”
This is a question I sometimes get asked. Of course, AWS isn’t the only Cloud Service Provider (CSP) clients ask about. It just happens to be the one I’m asked about most.
So what’s my answer? If a cloud provider says it is compliant with HIPAA — or any other law, regulation, or standard concerning security or privacy — it simply means they’ve provided the functionality to use it in a compliant manner. Out-of-the-box, no cloud service is going to be “compliant” with any security or privacy requirement.
You as the customer have to know what levers to pull and what knobs to turn. But don’t just jump into the technical weeds and assume you can simply follow what your CSP says and achieve HIPAA compliant cloud storage. Besides technical configurations, there are bigger issues that can impact the particular requirements that apply — and how they apply. User guides and other resources like these from AWS won’t help you there.
The 5 Key Questions that Define Your HIPAA Compliant Cloud Storage Needs
This post covers five key questions you should understand before attempting to use a CSP in a manner that complies with the HIPAA Privacy, Security, and Breach Notification Rules.
1. Under HIPAA, are you considered a covered entity or business associate?
Let’s assume your business or organization is subject to HIPAA. Are you considered a covered entity or a business associate? Of course, don’t forget that these days a vendor of a business associate can itself be considered a business associate if certain criteria are met. Also don’t forget that an organization can be a covered entity for some purposes and a business associate for others.
Why does it matter? Whether you’re a covered entity or business associate can impact a number of areas, including the contracts you’ll need and what provisions to include. It can also impact what obligations you owe — and to whom you owe them — for things like reporting breaches and handling specific requests made by patients. It is important to be clear about your obligations so you can ensure you have an appropriate HIPAA compliant cloud storage solution.
For example, if you’re a business associate who has been contracted to develop software for a hospital (a covered entity), then you’ll need to know what contracts you need in place with both the hospital and your CSP (which I’ll cover next).
If you’re unsure of your role and what contracts you need, be sure to speak with an experienced HIPAA compliance attorney.
2. Should your Cloud Service Provider be considered a business associate?
Next, talk about your CSP. Is your CSP considered a business associate under HIPAA? Well, that depends. If the CSP meets the criteria of a business associate — for example, because it receives, stores, or transmits Protected Health Information (PHI) — then the answer is yes.
If you intend to store PHI in the cloud, you will need to ensure you have a HIPAA compliant cloud storage solution. A CSP will sign a business associate agreement, but you typically need to ask for one. But besides contracting, there are other issues to keep in mind. Be sure to read Guidance on HIPAA & Cloud Computing from HHS, which discusses important topics like “no-view services” (i.e., when a CSP stores encrypted ePHI and does not have a decryption key).
3. What type of health data are you dealing with?
As this post is about HIPAA, I’ll assume you’re dealing with health data. Keep in mind that other types of health data exist besides full-fledged ePHI. Maybe you’re working with a limited data set for research purposes, or perhaps data that is considered de-identified under the HIPAA Privacy Rule. Or maybe you’re working with a combination of data types.
Different types of data can trigger different types of obligations, which is why it is critical to identify exactly the categories of data you’re dealing with. The type of data can also impact what kind of liability you might face if you experience an incident or are found to be misusing it.
In addition, I would ask other questions to get more context about the types of data you are planning to place in the cloud. Not all PHI should be considered the same. For instance, information about HIV diagnoses is much different in nature than, say, databases of patient contact information. The overall context can impact the safeguards you’ll want to employ and the selection criteria you use for a HIPAA compliant cloud storage solution.
4. Who is responsible for security and HIPAA compliance obligations?
Under a shared responsibility model, both you as the customer and your CSP bear responsibility for technical controls and certain compliance-driven functions in a HIPAA compliant cloud storage solution. Of course, you’re each responsible for different things and in different ways.
As mentioned above, no service should be considered “compliant” out of the box. A CSP can provide capabilities for things like audit logging and encryption that can be helpful for meeting certain technical safeguards under the HIPAA Security Rule. But it’s up to you as the customer to properly configure and monitor these controls.
Also, don’t overlook other HIPAA obligations that a CSP can’t and won’t do on your behalf.
For instance, a properly conducted and up-to-date HIPAA Security Risk Analysis is a must have for any organization subject to HIPAA. Having written policies and procedures is also very important.
5. Does your organization have internal controls that need to be considered (or updated)?
Your organization might already have a mature security and compliance program, but what controls have been established related to the use of a CSP for HIPAA-protected data? If these controls haven’t been formally established, put this on your to-do list.
Or sometimes organizations will have existing controls, but they haven’t been well communicated. As a result, you can have instances of Shadow IT where teams or departments start using the cloud unbeknownst to those in compliance, IT, or security. Be sure that your use of a CSP complies with any existing controls your organization has established. If you’re unsure, reach out and ask those who know. Be sure to educate all employees on the importance of never storing information in the cloud unless they understand and are working within your companies guidelines for HIPAA compliant cloud storage.
Wrangling HIPAA Compliance in the Cloud
Using a CSP in a HIPAA-compliant manner can be a complex undertaking for any organization. There are numerous issues to consider that go well beyond technical configurations and the compliance documentation written by your CSP.
The five questions in this post are meant to highlight some of the key issues you must consider when selecting a HIPAA compliant cloud storage solution. Of course, given how the complexities of this topic, these questions just scratch the surface.
For more information on cloud security and misconfiguration issues, read The 4 Most Common Cloud Storage Security Risks and 3 Things We Can All Learn From Microsoft’s Cloud Data Breach.