HIPAA in the Cloud
With more and more health care providers making decisions to move towards the cloud, one must ask themselves how a cloud platform can handle sensitive information such as protected health information (PHI) that falls under HIPAA. As a Google deployment specialist, I receive some fairly common questions from clients regarding how to handle PHI in the cloud. Can I use PHI in Google’s services? What steps should administrators take to allow end users to safely work with PHI in the cloud? How can I trust that our data is secure? We’ll take a look at how a HIPAA covered entity can leverage a cloud platform like Google’s G Suite to ensure their sensitive health information is being handled safely and securely and how we at Wursta can help with that migration.
HIPAA, or the Health Insurance Portability and Accountability Act, is U.S. legislation that provides data privacy and security regulations for safeguarding medical information. This secure private medical information, referred to as Protected Health Information (PHI), includes medical records, medical billing information, and patient history.
An organization or person that is directly subject to HIPAA privacy regulations is known as a covered entity. Covered entities fall into 3 buckets:
- Health plan (e.g. insurance providers)
- Health care clearinghouse (e.g. those who provide billing and payment services or manage health information systems)
- Health care providers (e.g. doctors, nurses, physicians, and hospital systems)
A Business Associate is an organization or person that provides services or performs functions on behalf of a covered entity that involves the use or disclosure of PHI. In order for a business associate and a covered entity to work together, they must first execute a Business Associate Agreement (BAA) that governs how the transfer of PHI will be managed and secured.
HIPAA & Cloud Service Providers
Cloud service providers (CSP’s) have exploded in popularity over the past few years. But covered entities were hesitant to make the jump due to the ambiguity over what that would mean for HIPAA compliance. To help clear up confusion, The U.S. Department of Health and Human Services (HHS) issued guidance last year that provided clarity on the usage of CSP’s and what it meant for HIPAA obligations.
With a BAA in place, HIPAA compliance becomes a shared responsibility between the covered entity and the CSP. While the covered entity is still responsible for securing the data and content that they bring to the cloud, the CSP is now responsible for securing the infrastructure on which that data is transmitted, stored, and managed. To tie it all together, we’ll take a look at a popular cloud service, Google’s G Suite which we at Wursta provide to demonstrate what executing a HIPAA BAA might entail.
HIPAA Implementation for G Suite
Google will enter into a BAA with any customer looking to bring PHI into the cloud. This is done in the context of a larger G Suite services agreement. The BAA covers a majority of G Suite core services, including the most used ones like Gmail, Drive, Docs, Sheets, Hangouts, and Calendar. You can find a list of G Suite services that are covered here. All other services not explicitly covered in the BAA should be disabled or otherwise ensure that they are not used in connection with PHI. You can separate users in your domain who manage PHI from those who don’t by using organizational units. This will allow you to control who has access to the different services.
Google provides an easy-to-follow implementation guide for configuring G Suite for HIPAA compliance which is covered as well in our training when you migrate to G Suite. It is recommended that the customer follow security best practices to help keep data secure. End users that manage PHI should set up 2-step verification to reduce the risk of unauthorized access in case the user’s password is compromised. The organization should also configure SPF and DKIM to prevent spammers and phishers from spoofing the domain. Wursta works to keep all of your data security up to date and running smoothly as issues arise and acts to prevent them from reoccurring with our Security Cloud Risk Assessment. We will be talking about this and more on July 27th, please click the link below to find out more!