HIPAA vs The Cloud

By Chris Witt
10:43 AM

If you are involved in healthcare IT, you know all about HIPAA and the responsibility it puts on the organization to protect patient information. In the early days of HIPAA regulations, there were only general guidelines and required outcomes to help direct IT departments in reaching compliance. The fact that most organizations maintained a “closed” system, meaning they had their own data center with very little data being exposed outside of the organization, made compliance relatively simple. Our biggest worry was the tape media being rotated out to our favorite offsite storage facility. Over time, data center strategies have evolved to include collocation and managed services. While this has added some complexity to HIPAA compliance, you still know exactly where your data resides and have a good idea of who could potentially access it from the third party provider. Now cloud computing has been added to the mix of service options. This adds some interesting HIPAA compliance challenges since absolute end-to-end control of the data is no longer assured.

Challenges in the cloud

Getting data to and from the cloud is not terribly challenging. Most organizations move data securely today over the public network (a.k.a. the Internet) using various encryption methods such as VPN tunnels and secure SSL web communication. Once the data reaches the cloud, it becomes a bit more problematic. Ideally, all data would be encrypted from end-to-end including storage. However, few healthcare application vendors support this. So, in the cloud, you will have a number of people with access to the physical servers and storage that you have no control over. Since complete control of the data and cloud computing seems to be in conflict, certain precautions need to be employed. Given the current absence of industry-wide certifications that would ultimately provide legal protection, the organization needs to negotiate a strong contract with the cloud provider that protects its interests. The cloud vendor should also be required to provide detailed reporting which includes all access to the servers and storage by anyone within their organization. The contract should include strong financial penalties to help incentivize the vendor and indemnify the healthcare provider in case there is a breech.

HIPPA, HITECH and meaningful use implications

When discussing high availability of clinical applications in route to achieving meaningful use, one must include infrastructure. If you are going to meet uptime requirements, you will need more than one data center. Undertaking the infrastructure work yourself will double your overall capital investment in data center infrastructure. This is another area where the cloud shines. An attribute of the cloud is rapid provisioning and deployment. You are able to change compute capacity as demand changes. In the cloud, server instances can also be quickly moved to alternate hosts or clustered to provide redundancy in case of failure. This is the easiest and least expensive way for even the smallest organizations to achieve what has historically been within only the reach of larger integrated delivery networks. 

HIPPA compliance and cloud computing – the bottom line

As President and Co-Founder of WAKE TSI, Chris Witt oversees data center and infrastructure-architecture relationships with some of the nation’s best hospitals, health networks, payers, and university teaching and research institutions as well as many large organizations in the commercial, federal and state business sectors in the Mid-Atlantic. His technical background, which includes nearly thirty years of evolving with developing IT trends and leading-edge architecture, is complemented with over fourteen years of managing projects, budgets, personnel, and operations. He is a published author and veteran speaker.  Chris holds an MBA in Technology Management from the University of Phoenix, and a BS in Computer Science from Villanova University. For more information on WAKE TSI, a list of services, references or a RFP please contact info@WAKETSI.com.