Security and compliance around personal data has been on the rise as more individuals become familiar with new & old legislation on the topic. It was in 1996 that the Health Insurance Portability and Accountability Act (HIPAA) came into action to address data security in the healthcare industry. In this blog article, we take a deeper look at HIPAA’s sections, what it means to be compliant and more specifically, HIPAA compliance in the cloud.
What is HIPAA?
The Health Insurance Portability and Accountability Act was signed in as new legislation under President Bill Clinton, in order to keep patient data and records secure. The act includes five Titles;
Title I: HIPAA Health Insurance Reform
Title II: HIPAA Administrative Simplicity
Title III: HIPAA Tax-Related Health Provisions
Title IV: Application and Enforcement of Group Health Plan Requirements
Title V: Revenue Offsets
When considering the cloud and cybersecurity, it’s Title II that is the focus when speaking about HIPAA compliance. Title II, Administrative Simplicity, includes the following compliance requirements;
- National Provider Identifier Standard - each healthcare entity (e.g. individuals, organizations, health plans) must have a unique 10-digit National Provider Identifier (NPI)
- Transactions and Code Sets Standards - healthcare organizations must use the standard mechanism for Electronic Data Interchange (EDI) when managing insurance claims
- HIPAA Privacy Rule - aka the Standards for the Privacy of Individually Identifiable Health Information, this rule sets the standards to protect patient health information
- HIPAA Security Rule - aka the Security Standards for the Protection of Electronically Protected Health Information (ePHI) gives standards for patient data security
- HIPAA Enforcement Rule - this rule states guidelines for investigating HIPAA violations
As it can be seen, Title II is made up of a collection of standards & practices for organizations to follow to help ease of use and quickly help to identify where non-compliance takes place.
Unlike other standards, HIPAA compliance is not a one-off certification or even one that only needs annual audits and reviews. Instead it’s one that requires continuous monitoring and upkeep as being caught to be non-compliant can come from anyone and at any time. As ominous as this sounds, staying HIPAA compliant in the cloud is being made increasingly easier as the US Health Department’s (HHS) Office for Civil Rights (OCR) recognized that more guidelines were needed for the growing cloud industry.
Of the requirements in Title II, it’s the Privacy Rule and Security Rule which are key to Cloud Service Providers (CSPs). In addition, the HHS enacted an Omnibus rule to include other requirements previously missed which most importantly, included the Breach Notification Rule - another important rule for CSPs. As the name suggests, should there be any breach of the Privacy Rule and its regards to patient health information, organizations need to notify the affected individuals, the Secretary, and if relevant, the media.
In their guidelines stating the three rules critical to CSPs, the HHS also mention considerations and flexibility to take into account given the many variations when it comes to the cloud and the services provided from it, such as a “no-view” service, i.e. no read access.
HIPAA Considerations for the Cloud
It’s useful to begin here with a quick glossary in terminology, as we all know that legal jargon isn’t everyone’s language. On the HHS website, under HIPAA, you’ll often see these terms so let’s break these down into plain English:
- Covered Entity = Health Plan, Health Care Provider, Health Care Clearinghouse, i.e. any parties or businesses involved in the medical claim from inception and validating, to submission and payout.
- Business Associate = Any third party business to a Covered Entity that deals with Protected Health Information, including creating, maintaining or transmitting it. Cloud businesses and their employees usually sit here. Also referred to as Cloud Service Provider (CSP).
- Business Associate Agreement (BAA) = The agreement between the Covered Entity and Business Associate, stating that the Business Associate (aka CSP) is directly liable to stay compliant to HIPAA
HIPAA Security Rule Considerations
As we know, any CSPs that are considered a Business Associate must comply with the Security Rule and its specific management of ePHI. It’s important to note here that even if only encrypted storage is provided with no decryption keys, CSPs are still required to comply to HIPAA because they are still managing the data.
There is some flexibility that can be arranged between customer and cloud provider when it comes to the Security Rule however. Using the BAA to ensure full agreement from both parties, it’s possible that areas of compliance can be satisfied from just one party’s actions.
For example, Acme Cloud Store Inc provides a service that maintains ePHI through encryption and has a strict no-view policy. Their customer, Happy Body Healthcare, is in full control of who can access the sensitive information and uses Multi-Factor Authentication (MFA) for this. From this, the CSP, or Business Associate, (Acme Cloud Store Inc) and the customer, or Covered Entity, (Happy Body Healthcare) have come to an agreement (BAA) that all access control responsibilities are suitably managed by the customer.
In this example, while the customer is managing access to ePHI, it is only this that they are covered for. It is still a requirement that Acme Cloud Store Inc employs its own strict access policies to their own infrastructure in which the ePHI is hosted.
HIPAA Privacy Rule Considerations
As per the rule, a CSP can only use or disclose ePHI as per the BAA, the Privacy Rule or any other legal requirement. This extends to even those with a no-view policy, like Acme Cloud Store Inc, who previously had no control over who accesses the information and who themselves couldn’t read the data.
It’s also important to note that, under this rule, Acme Cloud Store Inc must include a secure process for individuals to access, change, and receive their own ePHI. There is a fine line drawn on the Privacy Rule as individual access and amendments to ePHI must be maintained. However, it’s important to remember that it is not permissible for the CSP to entirely delete the data or block access to its customers on behalf of that individual.
HIPAA Breach Notification Rule Considerations
It’s safe to say that on nearly all occasions of a breach, notification is essential. There are however a couple of scenarios where this wouldn’t be the case.
The first being if the encrypted data that has been breached is encrypted to HIPAA standards. This is then considered “safe harbor” where disclosure to the customer isn’t required.
The second scenario where notification isn’t essential is dependent on what is considered a breach. This is where legal terms are useful to know inside out! According to Cornell Law School, the definition of a breach excludes any access to (authorized or not) or use of information which was done in good faith and not further used unlawfully. It also doesn’t consider it a breach if the unauthorized person wouldn’t have been able to retain the information. Understandably, this could be a difficult path to navigate either way so to be more bullet proof, don’t allow any ambiguity into your processes or systems.
In either case, consulting with appropriate legal counsel is highly recommended.
How to Stay HIPAA Compliant
As part of a greater effort to help aid HIPAA compliance within the cybersecurity space, the US Health Department’s (HHS) Office for Civil Rights (OCR) aligned HIPAA with the National Institute of Standards and Technology’s Framework (NIST). As one of the biggest standards in the industry to be recognized, it’s made clearer and easier to be HIPAA compliant if you’re already NIST compliant.
Because of the very nature of the standard, many businesses also involve HIPAA compliance training and credentials to ensure standards and awareness are kept high; a bonus to employees and customers. The OCR itself offers differing modules on the topic given its changeability, however there are many consultancies who also offer training.
Cloud Conformity is a compliance software that helps organizations understand where HIPAA compliance affects their infrastructure, and how to maintain the high standards so risk of breaches and consequent fines are kept as low as possible.
The platform runs over 500 checks on your AWS accounts both in real-time and in schedule, all with customizable alerts, with the ability to filter those that are only HIPAA relevant. From here, it’s possible to drill down into any failures and to remediate any check violations using the accompanying remediation rules.
Examples of high risk AWS HIPAA checks run on Cloud Conformity:
Cloud Conformity offers continuous assurance that your architecture meets the requirements for HIPAA right from inception through to initial deployment and ongoing maintenance, keeping your CI/CD pipeline secure and compliant. Have a look at your security posture using the free 14-day trial, giving you full access to the platform including real-time monitoring, auto-remediation and cost optimization.