HIPAA-Compliant Cloud Storage
Healthcare profitability requires managing large amounts of data to make accurate decisions while remaining compliant. How can organizations address issues around patient data portability, communication, privacy, and compliance? Healthcare is under pressure due to an aging population and the cost of care continues to outpace inflation. Providers struggle to communicate and coordinate patient care, and there are issues with accessibility, interoperability, and privacy permissions when collecting and storing patient data.
In addition to the aforementioned drivers for change exerting pressure on healthcare, big data is a significant factor in healthcare’s growth and change. The use of machine learning and artificial intelligence is driving the aggregation of data from multiple sources, and the use of telemetry systems is pushing the limits of storage capabilities. Decisions about whether to use cloud storage are complicated by concerns about security, compliance, responsiveness, and cost savings.
Healthcare CFOs in hospitals, imaging centers, surgical centers, and more are under unrelenting demands to reduce costs as profit margins continue to narrow. Medical directors must ensure better patient care, personalized to each patient and with individual information immediately accessible per HIPAA guidelines. The IT Manager must keep all of this electronic protected health information (ePHI) secure. Operations managers face competitors who use sleek marketing campaigns to boast of increased inpatient flow and operability targets. How can a single facility not just face these challenges, but also overcome them?
The Health Insurance Portability and Accountability Act (HIPAA), signed into law in 1996, aims to improve the portability and accountability of health insurance coverage while establishing privacy and security guidelines. The HIPAA Privacy Rule, published in 2002, ensures that individuals’ health information is properly protected while allowing the flow of health information needed for high-quality care. Health plans, providers, and even contractors must meet these privacy requirements. The need for HIPAA compliance encouraged digitization of healthcare records, as outlined in the HITECH Act of 2009, which led to the Meaningful Use incentive program.
Healthcare providers who receive Medicare and Medicaid incentive payments must meet specific meaningful use requirements, including:
Central to these criteria was the introduction of electronic health records (EHR). While today’s digital records mostly replace bulky files in physical storage, they do still have storage demands that can tax infrastructures and budgets. Patient data can encompass decades, contain information from multiple providers, and hold hundreds of imaging sequences from a single appointment.
The growth of medical record data is astronomical. In fact, some estimates put a 40% growth on data storage needs annually. Dealing with this level of electronic data is an enormous challenge, but when one considers the privacy conditions to be compliant with HIPAA, the complexity of maintaining responsive yet secure storage intensifies.
Rising IT infrastructure costs are one more hurdle to managing data demands and privacy requirements. Hardware, software, and networks need regular updating and upgrading. Computers, mobile devices, medical devices, telemetry tools and other connected devices do more than produce data — they consume large amounts of bandwidth. Remote management programs and licensing fees for ubiquitous tools such as Microsoft Office and Adobe, not to mention vendor-specific applications, add to the bottom line. How does one decide how to best distribute limited funds in an environment with so many competing priorities?
Healthcare IT administrators not only have to worry about infrastructure costs, but also the potential cost of data loss. Natural disasters such as earthquakes, hurricanes, tornadoes, and fires can destroy servers holding digital health records. Unfortunately, the frequency and intensity of these kinds of disasters are increasing, according to climate data. Catastrophic floods from intense precipitation, river flooding, and coastal storm surge pose a significant risk to on-site servers that may not be designed to withstand such events.
Security breaches also pose a significant risk to electronic health records, and the healthcare industry faces the highest cost for data breaches compared to any other industry. Roughly half of data breaches occur due to human error or system glitches, while the other half stem from malicious intent or criminal activity. Recovering from all types of data breaches, including hacking and ransomware attacks, can be expensive. Healthcare organizations risk losing customer trust, with patients leaving the business for another one following a breach, leading to a churn rate of 6.7%, nearly twice the average of all other industries. In the “value-based” healthcare model, providers must demonstrate positive outcomes over time, and if patients lose confidence in data security, there will be no viable way to measure progress.
It seems like everyone is “in the cloud” or “migrating to the cloud” these days, or getting ready to deploy some sort of cloud-based service. But what does “cloud” actually mean? Simply put, cloud computing refers to using on-demand computing services, such as applications, power, and storage, that are stored on servers rather than on your own computer. This means that the information is accessed over the internet when needed, and you might only pay for what you use at that time. When we talk about “cloud storage,” we’re specifically talking about storage that’s located off site.
If you were to walk into a cloud storage facility, you’d see a large room filled with racks of servers and wires running overhead. Some areas might be separated for specific tenants who have purchased a certain amount of servers for their exclusive use. So that’s the physical, non-fluffy look at the cloud.
One purpose of that server farm is to provide Infrastructure-as-a-Service (IaaS). This is where servers and storage, networking, and data centers are managed by the vendor while the client remains in control of applications and operating systems.
Cloud storage is incredibly flexible, but it requires knowledge and skill to truly unlock its potential for maximum benefit. Mismanagement can lead to data loss, causing problems such as wasted money, hampered productivity, and even fines.
However, the opposite is also true. Properly managed healthcare cloud storage can lead to data retention, greater productivity, and cost savings. With secure patient records available at all times, healthcare providers can easily share information with other professionals. Large files can be stored without taking up too much space. Analytics programs can be applied to the data, providing valuable insights into patient throughput and even predicting readmission likelihood. Advancements in artificial intelligence can be utilized to work with flexible storage space, allowing for machine learning programs to decipher previously unusable records. As organizations move toward precision medicine, this will be even more crucial.
Cloud storage is off-site storage. When information is needed, it is sent via the internet to the user.
Cloud storage has significant benefits:
Well-managed healthcare cloud storage leads to data retention, greater productivity, and financial savings.
Entities handling health data fall into different categories: healthcare provider, healthcare plan, and healthcare clearinghouse are all covered providers. A cloud storage provider is a business associate and must meet HIPAA privacy and security requirements. Both parties must sign a business associate agreement (BAA) agreeing to the terms of data exchange and possession. Cloud storage providers must also adhere to compliance guidelines for individual hospital practices and private insurers.
- Ensure confidentiality, integrity, and accessibility of ePHI
- Protect against reasonably anticipated threats or hazards to ePHI
- Protect against reasonably anticipated losses or disclosures of ePHI
- Ensure compliance by its workforce
As part of the Security Rule, HIPAA requires BAs to establish and maintain administrative, physical, and technical safeguards. These safeguards dictate the creation of access processes and trainings of a workforce to be compliant, toward creating a physical environment of security, and the creation of access authentication, and transmission security and controls. The HIPAA Security Rule has over 70 combined standards and implementation specifications, so describing each of them in depth is beyond the scope of this document. However, interested readers can delve deeper by reading some of the many government publications that address this issue.
HIPAA-compliant cloud storage business relationships begin with a business associate agreement (BAA), but also should have a service level agreement (SLA) that outlines specific responsibilities. According to hhs.gov, SLAs can include provisions that address such HIPAA concerns as:
- How old is the data center hardware and the software used to manage it?
- How much downtime, if any, is anticipated during the transition period?
- What preventive measures have the provider taken to avoid separation failure (when data from different tenants is inadvertently stored together)?
- How does the cloud service provider prove data deletion?
- Are the cloud storage facilities staffed 24/7 with technical and security personnel?
- Will they share their audits, especially regarding security and financials? Sharing financials can prove stability and display both transparency and sustainability. Performing regular audits is part of being HIPAA-compliant.
- Have they ever had a security breach? How was it handled, and what have they done to prevent future breaches?
- What kind of background checks are performed on employees? Do employees receive continuing education on best practices in cloud storage and compliance issues? As a potential HIPAA business associate, employee training is a mandated element of compliance.
- What is their HIPAA disaster recovery plan? If they don’t have one, consider finding a cloud storage provider with more experience in healthcare data storage.
- There are certifications for almost everything under the sun. What certifications does the cloud storage provider have, and what do they mean? Perform due diligence here.