No Encryption or BAAs: Keep PHI Off Unsecure Clouds

Google Drive, formerly Docs, is a free collaboration tool that can be used to store and manage large amounts of data – unless that data falls under the scope of protected health information (PHI); that is, personal patient health record data.

Google Drive, formerly Docs, is a free collaboration tool that can be used to store and manage large amounts of data – unless that data falls under the scope of protected health information (PHI); that is, personal patient health record data.

Recently it was revealed that Oregon Health & Science University (OHSU) kept a Google spreadsheet to maintain and exchange information about patient admissions to the hospital under the Division of Plastic and Reconstructive Surgery, as well as within two other urology and kidney transplant departments. About 3k patients were listed – while there was no reported data breach, merely the discovery of the unsecured cloud data was enough to require breach notification under HIPAA.

While the popular online document storage service is a classic example of what cloud computing can provide, it cannot meet the security requirements desired by the HIPAA mandate that was recently updated to include data storage/cloud service providers within the scope of liability. HIPAA comes with fines and penalties for data breaches of patient information.

Cloud service providers are now considered business associates, meaning they must sign a business associate agreement (BAA) with healthcare clients that use their services (Google does not  currently sign BAAs).

Additionally, encryption of data at rest and in transit is an addressable but highly recommended aspect of meeting HIPAA compliance, and it also makes a healthcare organization exempt from the HIPAA Breach Notification Rule, primarily because encryption renders data unreadable even if accessed by unauthorized individuals. Google does not encrypt files stored on Google Drive.

When contracting with a HIPAA cloud provider, ask them if they provide encryption and at what level. Check their HIPAA audit reports and risk assessments if they have them, and ask which technical security services can help them fulfill HIPAA requirements. Make sure their BAA addresses who has access to the data, how data is handled after service termination and breach notification policies. Read Five Questions to Ask Your HIPAA Hosting Provider for a more detailed explanation of the questions to ask.

For more about HIPAA security and cloud infrastructure, read our HIPAA Compliant Hosting white paper.

This white paper explores the impact of HITECH and HIPAA on data centers. It includes a description of a HIPAA compliant data center IT architecture, contractual requirements, benefits and risks of data center outsourcing, and vendor selection criteria.

Learn more about cloud security and private clouds in healthcare:
How the HIPAA Cloud Protects PHI for Physician Software as a Service (SaaS)
How does the HIPAA compliant cloud support and enable progression of health IT and patient care? By creating a high availability, reliable data and application hosting infrastructure that’s secure enough to meet healthcare industry data security compliance regulations, like the Health … Continue reading →

Encryption for the HIPAA Compliant Cloud
Many cloud computing infrastructure as a service (IaaS) providers may provide log monitoring, antivirus, web application firewalls, SSLs, dedicated SANs and more for healthcare organizations, but often the missing ingredient lies in one key technical aspect: encryption. Encryption for healthcare … Continue reading →

References:
OHSU Notifies Patients of ‘Cloud’ Health Information Storage