HIPAA Cloud Compliance

Cloud security and privacy in context of HIPAA

What is the Health Insurance Portability and Accountability Act of 1996 (HIPAA)?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is the primary United States legislation that regulates the data private and security of protected health information, also known as PHI. The act, Public Law 104-191, contained provisions requiring the Department of Health and Human Services (HHS) to “adopt national standards for electronic health care transactions and code sets, unique health identifiers, and security,” HHS has published multiple rules to satisfy this requirement, resulting into a combined regulatory text published in March 2013. All encompassed, HIPAA requires all health care providers and organizations and their business associates to enact comprehensive data privacy and security specifications on PHI.

The regulation consists of two fundamental rules: the Security Rule and the Privacy Rule. The details and obligations of these rules are defined below.

Other relevant provisions include the guarantee of health insurance coverage for individuals who lose or change their jobs. HIPAA also establishes procedures for breach notification in the HIPAA Breach Notification Rule. Covered entities and business associates are required to notify patients following data breaches. The scope of organizations required to notify of breaches of PHI was expanded by the Federal Trade Commission (FTC) in 2010 to include vendors of electronic health records (EHRs) and EHR-related systems.

Through its provisions, HIPAA requires strict privacy and security safeguards on PHI and ePHI and non-compliance can result in significant penalties. The financial penalties are based on the level of negligence and the nature of the non-compliance. Ultimately, the secretary of HHS has full discretion in determining the penalty.

A public list of breaches is also maintained by HHS, placing a spotlight on organizations who have experienced data loss in their organization.

Who does it apply to?

Healthcare providers and organizations
Business associates (BA) and subcontractors of BAs of health care entities (as defined by the Health Information Technology for Economic and Clinical Health (HITECH))

What data are protected?

Protected health information is “individually identifiable health information” as defined by:
- Any information, including demographic information, collected from an individual that is created or received by a health care entity or BA
- Any information that can be reasonable used to identify an individual that relates to the past, present, or future physical or mental health or condition of that individual
- Any information that relates to the provision of healthcare to that individual
- Any information pertaining to the past, present, or future payment for the provision of healthcare to that individual

Requirements

Privacy rule

The HIPAA Privacy Rule regulates the use and disclosure and requires appropriate safeguards of an individual’s PHI by covered entities and BAs. The Privacy Rule also grants patients rights over their health information, including the right to request corrections and examine and obtain a copy of their health records.

Security rule

The HIPAA Security Rule primarily regulates electronic PHI (ePHI) by establishing standards to protect this electronic information that is created, received, used, or maintained by a covered entity. The Security Rule identifies three particular safeguards – administrative, physical, and technical – to ensure security of the data and compliance with the regulation.

Data security and procedures

Implement a mechanism to encrypt ePHI whenever appropriate. Apply appropriate sanctions against employees who do not comply with security policies and procedures.

Risk management and analysis

Conduct a risk analysis of potential risk and vulnerabilities to security of ePHI. Implement security measures to reduce risks and vulnerabilities.

Audit policy

Assign a unique name and/or number for identifying and tracking user identity. Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed and regularly review electronic records and audit logs.

Data backup and handling

Establish procedures to protect information in the case of an emergency or disaster and create and maintain copies of ePHI. Implement policies and procedures to address the disposal of ePHI.