Will your cloud be HIPAA compliant?

Will your cloud be HIPAA compliant?

Summary: Regulatory compliance will have a major influence on the spread of cloud services to medical providers.

SHARE:

The medical business, due to its geographically disperse nature, seems like a clear candidate for cloud based services. Just about every medical office I've dealt with, as a patient, parent, or consultant, has had some form of complaint about the nature of the IT services delivered to their practice. Even the large practices attached to universities and teaching hospitals always seem to put IT in the necessary evil category, rather than as a chance for business enhancement.

But the Health Insurance Portability and Accountability Act (HIPAA) means that the security of medical data is an absolute necessity for any vendor that deals with medical information. And this isn't just a set of suggestions; datacenters have to meet very strict standards for data protection to be HIPAA certified. The certification steps range from specific training for datacenter workers who have access to protected data, to government audits by HIPAA inspectors that assure that the requirements in the Code of Federal Regulations are met. Additional reporting requirements are required and guarantees must be in place for the security of the data. Breaching those guarantees can result in a variety of penalties.

The problem that cloud service providers will face in delivering services to the medical industry is that each datacenter that holds any patient data will technically need to be HIPAA certified. So there is no simple way of making sure that identifiable components of the patient data will ever be exposed when that data may be distributed throughout the cloud.  This doesn't mean that their won't be HIPAA certified clouds, it just means that the broad promise of cloud delivered services being able to be a best of breed choice from among all available selections won't be one that will be available to medical services that need to deal with patient data.

But this is America, and where there is a perceived need there will be vendors who will supply that need.  Datacenter providers like Colocation America, who just announced the HIPAA certification of their datacenters, will undoubtedly team up with other datacenter providers to begin to offer networks of HIPAA certified datacenter back ends to enable application service providers to offer their services to hospitals and medical practices throughout the country.

Topics: Hardware, CXO, Data Centers, Government, Government US, Health, Storage, IT Employment

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

22 comments
Log in or register to join the discussion
  • RE: Will your cloud be HIPAA compliant?

    Every college (all bound by hipaa one way or another) I know has staff/faculty that use Dropbox. Is that HIPAA compliant? <br><br>nope.<br><br>Insert online service here. Repeat.

    Its a mess.
    wendellgee2
    • RE: Will your cloud be HIPAA compliant?

      @wendellgee@... Where I work, the federal cost of a HIPAA infraction (not a breach, just a single infraction) is $1.5 million dollars!
      hforman@...
  • RE: Will your cloud be HIPAA compliant?

    my roomate's half-sister makes $78/hr on the laptop. She has been out of a job for 6 months but last month her check was $8255 just working on the laptop for a few hours. Read more on this site ... Lazycash9.com
    leon6600
  • RE: Will your cloud be HIPAA compliant?

    This discussion is long overdue.

    By its very nature, hosted cloud services are NOT compliant. Security, integrity, backups, and other issues are way too many.

    A private cloud, where the data owner makes their own cloud, is going to be marginally better, but anything on the open internet is more likely to be hacked than a closed system. And with a closed system, you have a means to figure out who did the wrongdoing (though to fix things then becomes more expensive if they cause trouble, but who can anyone trust these days?)

    But, true, as individuals it's out of our hands, so hope that the people being brought in give even a millisecond of conscious thought.

    But when management doesn't know, or if they are relying on someone else who is hyping up "yes, do it this way like all the other lemmings in the herd", what else can one do?
    HypnoToad72
  • RE: Will your cloud be HIPAA compliant?

    I have distrusted the concept of "the cloud" since I first heard of it. Who is responsible for the security of the "cloud"? Is it just my data that's in there or is the
    "cloud" shared with others? Is anybody making backups? I don't worry too much about it; AFAIK nothing that I "own" is stored in a cloud.

    Now, if my doctor is storing his patients medical history in "the cloud" I think I would be quite concerned. He, also, should be quite concerned! He's a great doctor
    but I'm not certain that he can find the ON/OFF switch on a computer.
    draco vulgaris
    • RE: Will your cloud be HIPAA compliant?

      @draco vulgaris this is why some doctors are having patients sign a waiver for them as they also have no control over what is put out there once it leaves their office even though they have to sent the info to the great government computer in the sky to get the Medical bills paid by Medicaid, Medicare, Champus=Tricare(VA program) or most insurance providers who what to see where the money went before they pay. Sure they use codes but they are very specific down to left and right kidney when surgery is involved.
      fierogt
      • RE: Will your cloud be HIPAA compliant?

        @fierogt Waivers won't matter in a HIPAA violation. Has nothing to do with the patient. They will have to pay the FEDs. That is the law.
        hforman@...
  • RE: Will your cloud be HIPAA compliant?

    You can store in the cloud info as long as it was encrypted onsite before uploading data and the cloud service provider (in case it is a service, cloud is not private) should not have the key.

    The best answer is "zero knowledge policy" - cloud service provider should have zero knowledge about your data. I found only one service provider with zero knowledge policy and acceptable prices - spideroak.com
    Tomas M.
  • RE: Will your cloud be HIPAA compliant?

    When People talk about HIPAA certification it bugs me. The government does NOT endorse ANY HIPAA certifying bodies. Starting this year there will be a permanent certification for HIT technology http://origin.www.gpo.gov/fdsys/pkg/FR-2011-01-07/pdf/2010-33174.pdf but there is no such thing as "HIPAA Certified" you can however be HIPAA compliant by following the rules set forth.
    falconae
  • RE: Will your cloud be HIPAA compliant?

    The problem I always see is in the concept of the public cloud. Many of us have signed Non-Disclosure Agreements that prohibit us from the unauthorized release of information (HIPAA or otherwise) outside of the company. If you read the terms of service or have been following the changes in terms of service, while it is discouraged by the cloud providers, that claim that their employees can see what you upload as part of their job (and those employees have not signed a NDA with you are your company). Suppose you were a lawyer working for a DA office and a "Britney Spears" type of trial came up and one of the cloud employees found it by some sort of search and uploaded the info to his or her blog, the AP, Yahoo, Reuters, TV networks... If you read the TOS for DropBox or for Google DOCS, they reserve the right to make your data public (even if it is the claim that they are doing this to provide you with their services). You are not allowed to sue them. If there are any costs, no side can be forced to pay more than $1000... If you don't believe this, look it up. Terms are on their websites. Now, what if that info has HIPAA roots...?
    hforman@...
    • RE: Will your cloud be HIPAA compliant?

      @hforman@... That's why you need a service with "Zero knowledge" policy.
      Tomas M.
  • RE: Will your cloud be HIPAA compliant?

    The problem I always see is in the concept of the public cloud. Many of us have signed Non-Disclosure Agreements that prohibit us from the unauthorized release of information (HIPAA or otherwise) outside of the company. If you read the terms of service or have been following the changes in terms of service, while it is discouraged by the cloud providers, that claim that their employees can see what you upload as part of their job (and those employees have not signed a NDA with you are your company). Suppose you were a lawyer working for a DA office and a "Britney Spears" type of trial came up and one of the cloud employees found it by some sort of search and uploaded the info to his or her blog, the AP, Yahoo, Reuters, TV networks... If you read the TOS for DropBox or for Google DOCS, they reserve the right to make your data public (even if it is the claim that they are doing this to provide you with their services). You are not allowed to sue them. If there are any costs, no side can be forced to pay more than $1000... If you don't believe this, look it up. Terms are on their websites. Now, what if that info has HIPAA roots...?
    hforman@...
  • RE: Will your cloud be HIPAA compliant?

    my doctor did put my info in the cloud and now he is being sued our info was stole july 2 and he was told july 9 we were told aug 31 if any puts my info in the cloud i am sueing they for all they got
    ttx19
  • RE: Will your cloud be HIPAA compliant?

    Cloud or data center providers that claim to be HIPAA certified (the correct term is 'compliant'), should be able to provide a copy of their independent HIPAA audit report to their clients - I'm not sure Colocation America, or many other data centers that claim to be 'HIPAA-ready' or 'HIPAA Certified', nor do their clients realize that.
    onlinetech
    • RE: Will your cloud be HIPAA compliant?

      @onlinetech thanks for being one of the sane ones, see my comment from yesterday. I cringe every time I see someone say "certified" it's all being driven from houses they want to market "certification" to businesses and bank on the fact there is not an endorsed certifying body yet...it will be coming soon though. As they start certifying HIT providers like datacenters for the HITECH act, eventually I think those same certifying houses will be expanded to HIPAA providers and associates.
      falconae
  • RE: Will your cloud be HIPAA compliant?

    Additionally, these are the key questions you should be asking your HIPAA hosting provider: http://www.onlinetech.com/resources/e-tips/hipaa-compliance/five-questions-to-ask-your-hipaa-hosting-provider
    onlinetech
  • Maybe ALL clouds should be HIPAA Compliant

    Since all medical and educational facilities must be HIPAA Compliant, why not make all clouds HIPAA and be done with it?
    linux for me
    • RE: Will your cloud be HIPAA compliant?

      @linux for me - Providers will not be able to analyze your data and sell the stats :)))
      Tomas M.
  • One foolish act renders all this non-compliant.

    Recently watched a video that Peter Coffee was involved in, to paraphrase his words: there are many ways to lock down the SaaS, IaaS, PaaS models to conform with the demand to be HIPAA compliant -- but one user can print out a document/patient record, leave it on a desk by an open door and your system is no longer compliant.

    Until personnel is trained correctly on what HIPAA truly means, the true definition of a compliant solution for customers is always going to be in question.
    daveinboise
    • Employee training required.

      Very true. You can be compliant on the technical side, but HIPAA is mostly based on policies and procedures of day-to-day operations. All of your employees need to be trained in ongoing compliant workplace behavior or you'll never pass a HIPAA audit. That's the mistake of many in IT - assuming that the technical side is in place and that's where the responsibility ends.
      onlinetech