If you are involved in healthcare IT, you know all about HIPAA and the responsibility it puts on the organization to protect patient information. In the early days of HIPAA regulations, there were only general guidelines and required outcomes to help direct IT departments in reaching compliance. The fact that most organizations maintained a “closed” system, meaning they had their own data center with very little data being exposed outside of the organization, made compliance relatively simple. Our biggest worry was the tape media being rotated out to our favorite offsite storage facility. Over time, data center strategies have evolved to include collocation and managed services. While this has added some complexity to HIPAA compliance, you still know exactly where your data resides and have a good idea of who could potentially access it from the third party provider. Now cloud computing has been added to the mix of service options. This adds some interesting HIPAA compliance challenges since absolute end-to-end control of the data is no longer assured.
Challenges in the cloud
For the sake of this discussion, we are only concerned with the concept of a public cloud. A private cloud that is served from your own data center is no more a concern than delivering services from traditional non-cloud based servers. For HIPAA, data privacy is a key component. In order to maintain security, you need to know where your data resides, take precautions to preserve privacy, and employ mechanisms to audit access. In the cloud, servers, network, and storage are designed to be abstracted which means you do not know where things physically reside.
Getting data to and from the cloud is not terribly challenging. Most organizations move data securely today over the public network (a.k.a. the Internet) using various encryption methods such as VPN tunnels and secure SSL web communication. Once the data reaches the cloud, it becomes a bit more problematic. Ideally, all data would be encrypted from end-to-end including storage. However, few healthcare application vendors support this. So, in the cloud, you will have a number of people with access to the physical servers and storage that you have no control over. Since complete control of the data and cloud computing seems to be in conflict, certain precautions need to be employed. Given the current absence of industry-wide certifications that would ultimately provide legal protection, the organization needs to negotiate a strong contract with the cloud provider that protects its interests. The cloud vendor should also be required to provide detailed reporting which includes all access to the servers and storage by anyone within their organization. The contract should include strong financial penalties to help incentivize the vendor and indemnify the healthcare provider in case there is a breech.
HIPPA, HITECH and meaningful use implications
Let’s look at the HIPAA and Cloud question from a different perspective. In 2009, the American Recovery and Reinvestment Act (ARRA) expanded HIPAA to include the Health Information Technology for Economic and Clinical Health Act (HITECH) and meaningful use provisions. Organizations are now positioning to attain meaningful use in order to capture the incentives allocated by the Federal Government. In a few years, that carrot becomes a stick, and reimbursements will be in jeopardy for those who are not in line with the meaningful use provisions. The increased use of technology solutions in delivering clinical care as put forth in meaningful use is putting additional stress on IT departments. Most healthcare organizations cannot provide basic data center services in line with fundamental best practices let alone operate a data center that approaches 99.999 percent availability. This means that most organizations are at risk for unscheduled outages. In an environment that is increasingly dependent on technology availability, this is becoming a life and death situation. Fixing the problem is expensive and, in general, health care providers should not be in the data center business – but that’s another story. Cloud computing can provide a very cost effective solution for organizations needing to attain a certain level of availability but not wanting to invest the capital to build it on their own. With a cloud vendor, you in effect “rent” server, virtualization, network, storage, and security experts rather than having to keep them on your own payroll. Some of these folks are in high demand and can be very expensive to hire.
When discussing high availability of clinical applications in route to achieving meaningful use, one must include infrastructure. If you are going to meet uptime requirements, you will need more than one data center. Undertaking the infrastructure work yourself will double your overall capital investment in data center infrastructure. This is another area where the cloud shines. An attribute of the cloud is rapid provisioning and deployment. You are able to change compute capacity as demand changes. In the cloud, server instances can also be quickly moved to alternate hosts or clustered to provide redundancy in case of failure. This is the easiest and least expensive way for even the smallest organizations to achieve what has historically been within only the reach of larger integrated delivery networks.
HIPPA compliance and cloud computing – the bottom line
The bottom line is that cloud adoption and achievement of HIPAA compliance do not have to be in conflict. As with any evolving or new technological solution, it is critical for organizations to perform their due diligence so they fully understand not only the technology, but how it impacts their environment. IT must develop the necessary skills or engage the assistance from a trusted advisor. They cannot shy away from new technology because they do not understand it. The cloud is here to stay, and can provide a financial advantage to those who embrace it.