I have read conflicting information on whether PHI can be stored and delivered on a cloud in a HIPAA compliant manner. I hear many people saying you cannot share infrastructure and be HIPAA compliant.
What needs to be taken into consideration when storing PHI on a cloud?
Mostly agree with Lynn.
And to add more - the public clouds are general purpose clouds and hence the privacy is not fully implemented. That's the core of HIPAA requirement. But if there are clouds that are equivalent to HealthVault or purely private clouds, its very much possible.
My point is - the current public clouds aren't designed with healthcare in mind. But a general purpose connected applications. And hence they aren't fully HIPAA compliant. Also people who manage the clouds needs to have HIPAA or CITI or similar certifications in order to be called as qualified personnel to manage the cloud! I strongly doubt if there are any public cloud offerings that have these basic criteria satisfied!
Of course this is my personal observation after working in this industry for long and no obligations.
The HIPAA Security Rule talks about the security controls required to protect PHI. There are a lot of things you have to take into account - administrative controls, physical security, technical security. I haven't seen anything personally that would completely rule out cloud storage, but I haven't done extensive research. You'd have to work through all the angles for your own application to be sure. And cloud storage certainly presents some challenges, among them:
Physical Security - You have to ensure that only authorized people can access the servers themselves. If it's your cloud this presumably isn't a problem, but if you're just storing data on some shared cloud storage farm, you'll have to investigate their security measures and conclude whether they are appropriate.
Transmission Security - Seems to me like data in the cloud would be shipped around more, presenting additional challenges around transmission security. But it's nothing you couldn't overcome with secure data channels.
Amazon offers a white paper on this very topic for their Amazon Web Service, and touts several clients who have proceeded forward.
See the "Interested in HIPAA Compliance?" sidebar here, as well as this whitepaper.
Update: I followed up on the link provided below by Mike Schenk, and found the following statement:
Q. Does AWS GovCloud offer better security than other AWS Regions?
AWS GovCloud offers the same high level of security as other AWS Regions and supports existing AWS security controls and certifications such as FISMA, SAS-70, ISO 27001, FIPS 140-2 compliant end points, and PCI DSS Level 1. AWS also provides an environment that enables agencies to comply with HIPAA regulations. The only difference is that AWS has added a layer of permissions to the AWS GovCloud Region that restricts access to those on an approved list of US Persons.
I had a chance to ask Mark Russinovich from the Microsoft Azure project about this. He said (paraphrasing) that health industries and banking are probably the last group to embrace cloud computing for precisely this reasons.
He also said that it's the responsibility of the cloud owners (Microsoft, in this case) to get the necessary certifications for HIPAA compliance. He did mention that they were SAS/ISO certified and regularly audited by third parties.
I'd say it changes the question from "what is your team doing to implement HIPAA" to "is the third party implementing HIPAA". In my opinion, one question isn't necessarily easier to answer than the other -- it depends on your resources and the resources of the third party.
These are requirements and recommendations from the perspective of a third-party audited HIPAA compliant data center/hosting provider:
Required:
Recommended (offers enhanced security):
Whether it's a private cloud or managed servers, these are standard. Read the white paper here: http://www.onlinetech.com/resources/white-papers/hipaa-compliant-data-centers
I know this is an older topic, but it is still #1 on Google Search so I figured I'd add some clarification. HHS actually provided pretty clear guidance on this issue (for once) and this article is a great reference to what makes the Cloud HIPAA compliant or not: https://www.hhs.gov/hipaa/for-professionals/special-topics/health-information-technology/cloud-computing/index.html
In my opinion, while not required, it is best to use AWS GovCloud (or something similar on other service) for the easiest path to HIPAA Compliance (make sure you get a BAA executed by Amazon). Could you do it with "standard" AWS? Yes. But then you have to justify and answer Risk Assessments differently because you can't guarantee US based personnel only. This of course is not a requirement either of HIPAA, but it certainly expands Risk Assessments in a very burdensome way for most companies.
Amazon AWS supports HIPAA compliant hosting. However, it's not cheap: You'll need to use dedicated instances or a dedicated host. AWS will sign a Business Associate Agreement (BAA) with you validating their HIPAA compliance. More information is available here: https://aws.amazon.com/compliance/hipaa-compliance/
They have a technical white paper here: https://d0.awsstatic.com/whitepapers/compliance/AWS_HIPAA_Compliance_Whitepaper.pdf
Unfortunately Laws will always have to catch up with technology.
I looked into this before my employer purchased a new server and I kept coming across firehost http://www.firehost.com/secure-hosting/hipaa take a look at their information on HIPAA compliance. Another avenue that I looked through for document sharing is google docs which turns out IS NOT compliant (at least when I researched it). Just be sure to document everything and you will decrease the risk consideribly if you stick with HIPAA documented providers. I know that some hospitals rent space for their old legacy systems (AS/400)from seimens since it's cheaper to pay them to secure their application(s) and data than to hire I.T. staff, but that's in an enterprise environment.
Third-Party Cloud providers (Google, Dropbox,...) are NOT HIPAA compliant. They don't have to be according to the law and a read of their Terms of Service and FAQs will tell you this. Here are some of the reasons:
These providers scan all uploads to their storage. Employees (even non-U.S.) are allowed and do read your data These services state that, while they don't OWN your data that is uploaded, you are required to give them permission to do whatever they want with your data including edit and public display of your data. This also includes the right to give away your data to third parties.
