Healthcare entities taking advantage of cloud computing must make sure that their cloud partners strictly comply with HIPAA regulations.

1. www.medicaltranscriptionservicecompany.com (800) 670 2809
Healthcare Cloud
Adoption – HIPAA Still
the Major Priority
Healthcare entities taking advantage of
cloud computing must make sure that their
cloud partners strictly comply with HIPAA
regulations.
MTS Transcription Services
United States

2. www.medicaltranscriptionservicecompany.com (800) 670 2809
Many healthcare organizations are now embracing cloud computing to meet their digital
transformation. According to the latest BCC Research report, the global healthcare cloud
computing market will hit $35 billion by 2022, with a compound annual growth rate of
11.6%.Many physicians are relying on cloud-based medical transcription services, as that
provides diverse benefits such as reduction in infrastructural costs, and scalability as cloud
storage does not have a fixed data storage size. Leveraging cloud services for healthcare
initiatives, helps in offload data collection, increased security, disaster recovery and backup,
data backup and storage, data processing and analytics, creating an edge computing ecosystem
and improving telemedicine capabilities. While health cloud provides all such benefits, security
remains the top consideration for organizations moving into the healthcare cloud. Though basic
data security options are still implemented with cloud computing, HIPAA compliance is critical
for a secure healthcare cloud.
The Right Healthcare Cloud Partner Helps
The HIPAA Privacy, Security, and Breach Notification Rule aims at protecting the privacy and
security of electronic protected health information (ePHI). Covered entities and business
associates must comply with the applicable provisions of the HIPAA Rules. For healthcare
organizations just starting out to use health cloud, the first step is to make sure their cloud
partner can meet their needs. A healthcare cloud partner must be able to properly secure and
manage your data, accommodate changing needs, and provide services for both today and the
near future.
While choosing a cloud partner, healthcare providers must make sure that the chosen partner
understands your business and allows your healthcare services to be properly aligned. The right
partner not only helps the organization scale, but also helps it maintain a competitive edge.
Also, ensure that when working with disaster recovery or data backup, the cloud partner meets
the unique needs of the organization. An organization must sign the business associate
agreement (BAA) and assume additional liability to manage protected healthcare information
(PHI).
Google, Amazon and Microsoft Azure are the three top cloud service providers. Google uses
128-bit or stronger Advanced Encryption Standard (AES) to protect data in transit to the
platform, and between and in its data centers. Google suggests that HIPAA-compliant
healthcare organizations must not use G Suite in connection with PHI until a business associate
agreement (BAA) has been obtained. Once the BAA has been obtained, it is the responsibility of
the covered entity or business associate using the service to ensure that HIPAA Rules are
followed. AWS- Amazon and Microsoft Azure use 256-bit or stronger Advanced Encryption
Standard (AES) default to protect data in transit to the platform, and between and in its data

3. www.medicaltranscriptionservicecompany.com (800) 670 2809
centers. AWS Work Docs is HIPAA eligible, which means with the proper implementation it can
be HIPAA compliant.
Guidelines on HIPAA and Cloud Computing
The U.S Department of Health & Human Services has provided certain guidelines to assist
HIPAA-regulated cloud service providers (CSPs) and their customers in understanding their
responsibilities, which include:
• All cloud service providers (CSPs) that are business associates must comply with the
applicable standards and implementation specifications of the Security Rule with
respect to ePHI.
• Access controls to be implemented by the customer and the CSP depends on the
respective security risk management plans of the parties as well as the terms of the
BAA.
• Even when the parties have agreed that the customer is responsible for authenticating
access to ePHI, the CSP may still be required to implement appropriate internal controls
to assure only authorized access to the administrative tools that manage the resources.
• CSPs should also consider the risks of using obsolete administrative tools. The CSP and
the customer should each confirm in writing, in either the BAA or other documents, how
each party will address the Security Rule requirements.
• While a CSP that provides only no-view services to a covered entity or business
associate customer may not control who views the ePHI, the CSP still must ensure that it
itself only uses and discloses the encrypted information as permitted by its BAA and the
Privacy Rule, or as otherwise required by law.
• If a covered entity uses a CSP to maintain electronic protected health information (ePHI)
without entering into a BAA with the CSP, the covered entity (or business associate) is in
violation of the HIPAA Rules.
• While a CSP maintains ePHI, the HIPAA Rules prohibit the CSP from using or disclosing
the data in a manner that is inconsistent with the Rules.
• A business associate agreement (BAA)must require the business associate to report to
the covered entity or business associate whose electronic protected health information
(ePHI) it maintains, any security incidents of which it becomes aware.
• The BAA could also specify appropriate responses to certain incidents and whether
identifying patterns of attempted security incidents is reasonable and appropriate.
• A business associate CSP must implement policies and procedures to address and
document security incidents, and must report security incidents to its covered entity or
business associate customer.

4. www.medicaltranscriptionservicecompany.com (800) 670 2809
• Healthcare providers, other covered entities, and business associates may use mobile
devices to access ePHI in a cloud as long as appropriate physical, administrative, and
technical safeguards are in place to protect the confidentiality, integrity, and availability
of the ePHI on the mobile device and in the cloud, and appropriate BAAs are in place
with any third party service providers for the device and/or the cloud that will have
access to the e-PHI.
Covered entities of all sizes need to understand both the potential pros and cons of the
healthcare cloud. While considering outsourcing medical transcription, healthcare firms must
also make sure that the company they partner with is HIPAA compliant and experienced.