2. 1 GROWING TREND
CLOUD-BASED STORAGE IS A GROWING TREND IN
HEALTH CARE.
• Health care providers are using cloud storage for data collection,
aggregation, analytics, and decision making.
• By 2020, 80 percent of health care data will pass through “the cloud” at
some point in its lifetime. 1
1. http://www.fiercehealthit.com/story/2015-healthcare-predictions-growth-analytics-mobile-security-risks/2014-11-21
3. 2 BUSINESS
ASSOCIATE
• According to the HIPAA Omnibus rule, cloud storage providers are business
associates and must comply with privacy and security rules.
A VENDOR DOES NOT HAVE TO VIEW PATIENT DATA
TO BE CONSIDERED A BUSINESS ASSOCIATE.
4. 3 BUSINESS ASSOCIATE
AGREEMENT (BAA)
BAA’S MAIN PURPOSE:
• To legally document and acknowledge the relationship between the
covered entity and the cloud storage provider, while also setting rules and
expectations for each party.
• The cloud storage provider must understand that they are required to take
certain steps to appropriately safeguard the privacy and security of the
data it stores.
ASK YOUR CYBER LIABILITY INSURANCE
PROVIDER ABOUT WHAT TO INCLUDE IN A BAA.
5. 4 HIPAA
COMPLIANCE
JUST BECAUSE CLOUD STORAGE VENDORS
CLAIM THEY ARE “CERTIFIED HIPAA COMPLIANT”
DOES NOT MEAN THEY ACTUALLY ARE.
• Proper vetting must take place on any vendor you are considering.
• Some third parties will assess HIPAA compliance among cloud storage
providers, but such HIPAA certification is not recognized by HHS or any other
government body.
-- A cloud provider’s (or a third party reviewer’s) definition of HIPAA
compliance may not equate to the HHS definition of compliance.
6. 5 HIPAA
COMPLIANCE
YOU MIGHT WANT TO ASK
1. About obtaining documentation of a quality third party assessment of vendor’s
HIPAA compliance.
2. How often does the cloud provider conduct a risk analysis and will they provide
information from their most recent risk analysis?
3. What specific security controls do they have in place? (For example, what form
of encryption is used and on what information? Who has access to the keys?)
7. 6 HIPAA
COMPLIANCE
• According to the HIPAA Omnibus rule, covered entities share the
responsibility when a business associate has a security breach, meaning
both are responsible for sending proper notifications if a security breach
occurs.
• Two separate risk assessments must occur – one must be conducted by
the cloud provider and one must be conducted by the covered entity.
8. 7 DATA STORAGE
POLICY
QUESTIONS TO ASK
• How will the vendor back up the data? How will the data be restored?
• Will the vendor’s staff ever read or look at the data? If so, in what situations?
• Under what circumstances would the vendor turn data over to law
enforcement, with or without a warrant?
• What happens if you surpass your storage limits?
• Does the vendor have a plan for returning your data if the vendor were to sell,
go out of business, or your contract is terminated?
9. 8 CONCLUSION
• When choosing a cloud storage provider, be cautious about claims of
HIPAA compliance.
• Appropriately vet the vendor and sign an appropriate BAA to ensure
patient privacy and security.
• Choose a provider that understands the requirements of the HIPAA
Omnibus rule.
10. 9 SOURCES
• Cloud Security Toolkit, Navigating HIPAA While Moving to the Cloud by
Adam H. Greene, JD, MPH
http://www.himss.org/ResourceLibrary/genResourceDetailPDF.
aspx?ItemNumber=28307
• Top 10 Things to Consider About Omnibus for Cloud Storage
http://www.ironmountain.com/~/media/Files/Iron%20Mountain/
Knowledge%20Center/Reference%20Library/Best%20Practices/
Top_10_Things_to_Consider_About_Omnibus_for_Cloud_Storage.
pdf?dmc=1&ts=20150810T1230482174
11. 10
ABOUT TMLT:
With more than 17,500 physicians in its care, Texas Medical Liability Trust (TMLT)
provides malpractice insurance and related products to physicians. Our purpose is to
make a positive impact on the quality of health care for patients by educating, protecting,
and defending physicians. www.tmlt.org
Find us on:
PROTECTION FOR
A NEW ERA OF
MEDICINE