HIPAA TIP: Sensitive Data and the Cloud Shared Responsibility Model
First and foremost, do you know where all of your organization’s Protected Health Information (PHI), electronic Protected Health Information (ePHI) and Personally Identifiable Information (PII) is stored? As a Covered Entity or Business Associate it is your responsibility to put in place security measures to safely store all PHI and ePHI per the HIPAA Security Rule, and you can’t defend what you don’t identify.
While conducting the annual HIPAA Security Risk Analysis, determine ALL locations where PHI (ePHI) is stored. Some of the locations include the Electronic Medical Records or Practice Management software, dictation or transcription software, messaging systems, documents, downloads and computer desktops (user profile folders), to name a few.
What about shared files and cloud storage software? HIPAA doesn’t prohibit healthcare organizations from leveraging cloud solutions, but it is critical to understand that transferring ePHI to the cloud does not transfer your organization’s responsibility to protect that data. There is no such thing as a “HIPAA compliant cloud service,” and no Cloud Service Provider (CSP) can guarantee compliance. CSPs are considered Business Associates, so you are obligated to obtain reasonable assurance they have implemented “appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of” ePHI in the form of a Business Associate Agreement (BAA). Most large CSPs are willing to sign a BAA, but the CSP’s safeguards are not your organization’s safeguards, and the fact that a CSP supports HIPAA compliance does not automatically mean that using the service is free of compliance risk. Compliance in the cloud is not just a matter of having services available, but how you use and configure those services. Gaining an in-depth understanding of your provider’s shared responsibility model (which security functions they are responsible for vs. which your organization must implement and configure) should be a foundational component of your CSP due diligence and annual SRA review processes.