With passage of the Health Information Technology for Economic and Clinical Health Act, part of the American Recovery and Reinvestment Act (the stimulus package) in 2009, regulatory requirements have been extended to include the business associates that work with health care providers to provide end-to-end care. Now, organizations not only rely on the services they provide each other; they also rely on each other to be compliant.
In effect, anyone and everyone who touches protected patient health information is accountable and could be penalized for failure to comply with the HIPAA/HITECH regulatory requirements.
Trusting the Cloud
Patient health information must be secured, privacy must be ensured, the patient/consumer needs to understand what is being shared and exposed, and the provider must obtain an explicit agreement from the patient as to what can be shared. Unauthorized use of the data must be prevented, or there could be some serious auditing expenses, fines or even jail time.
The security element of HITECH is about ensuring the privacy of both electronic and physical information — medical records being stored, emailed, printed out, reviewed or analyzed, or even faxed. This requirement covers any and all business associates that deal with the medical providers as they must also meet all of the HIPAA/HITECH requirements. This includes entities such as hosting providers, email providers, medical labs, garbage collectors, couriers and others who come into contact with the practice.
Naturally, the depth and breadth of the requirements raise a huge concern for businesses that are considering moving some or all of their operations to the cloud as an alternative to their traditional on-premises IT services. Businesses are concerned with what types of information are being shipped off premises and what is done with the data once they leave the traditional network boundaries.
For example, electronic medical records being shipped off to the cloud provider can make hospital administrators feel as though they're losing complete control of their data, thereby putting them at risk of failing to meet the regulatory requirements, or worse, experiencing a security breach. They are completely reliant on the cloud provider to protect that data in support of the regulation.
But this isn't the full picture. There are tremendous benefits for businesses moving some or all of their operations to the cloud. As an example, some hospitals don't have a well-developed IT infrastructure to support the ongoing regulatory developments and their related audits. Private cloud/hybrid cloud options can help them achieve this objective while also consolidating systems and processes, thereby driving down costs.
Another good example is a hospital that lacks in-house IT personnel and the knowledge required to manage all of the systems, technologies and related business operations. An outsourced IT business model can store information on servers and transmit it to other entities using encryption technologies, helping to prevent system intrusions and avoiding internally driven data breaches.
With more than 3 million providers and business associates that must show they are compliant with HIPAA/HITECH, the cloud is certainly the best way for a majority of them to proceed.
Requirements for Cloud-Based Compliance
The first step toward compliance is to understand the requirements and to evaluate how well the organization is performing in regard to the requirements. To maintain control of the process and the data, hospitals should perform a self-guided assessment that doesn't require any protected data to leave the business. The protected patient health information should stay with the business during the assessment; only the assessment information should be securely stored in the cloud using an SAS70-certified data center.
All entities involved in meeting the requirements, including business associates, must be involved in the survey and analysis. The results of the survey should provide a clear view of gaps in the system and an understanding of which gaps need to be assessed further for risk. The potential damage from not addressing the risk should be made obvious by the solution as well.
Once the organization has assessed the risks and compliance gaps, the next step is to provide processes and safeguards to mitigate compliance and security risks.
The traditional way to handle this process is to install some software or an appliance directly onto the network. As most hospital network administrators understand, this can be both costly and difficult to maintain. However, by bringing this to the cloud, collaboration across business boundaries can be performed with little investment in deployment and maintenance.
One of the key benefits in moving a process to the cloud is that the service and subscription should be affordable and not require payments when the service is not being used. A cloud-based solution typically delivers the best results in this regard.
Getting an Assessment Started
Most hospital administrators simply don't know where to start. The unknown can be overwhelming. Most business leaders will stop their evaluation at understanding HIPAA mandates and are unlikely to move beyond the initial assessment.
An easy way for businesses to begin their assessment is by asking themselves a simple set of questions: Do you travel with a laptop? Do you manage patient information? How and where is the patient information stored, accessed, used and transmitted? Would your business be affected by a breach of this data through any means captured in these questions?
Another task that often challenges hospital administrators is selecting the most appropriate solution for their business. Directly tied to this are the costs of acquiring the resources needed to perform the implementation and maintenance. To further exacerbate the problem, assessment is not a one-time event — it must be revisited.
Some hospital leaders may try to use their existing privacy tools and security infrastructure to perform the analysis themselves. This often does not offer them all the necessary information. Most likely, they lack the tools that are configured to collect the right information. Furthermore, if the business has not implemented a specific (overarching) HIPAA/HITECH compliance tool to analyze the data it collects, it won't be able to properly assess the posture and the risk of not meeting the requirements.
What's the icing on the cake? Audits. If a business gets audited, its leaders certainly will want to have the information to stand up to the scrutiny of the auditors — year after year — for every audit to which it is subjected.
Achieving Compliance from the Cloud
We are reading more articles that indicate the public cloud could be more secure than the organization's own in-house network. That's because the cloud provider likely will spend more resources to secure the environment, probably a great deal more than the limited-resourced hospital is able to invest alone.
If a hospital is not able or willing to invest properly in the research, staffing and ongoing maintenance of its regulatory program, it is critical that the hospital find a trusted cloud service provider with the knowledge and expertise of HIPAA/HITECH and tools that do not require any installation, maintenance or training.
All health-oriented business leaders who are using, accessing, storing and sharing patient information must realize that meeting the HIPAA/HITECH requirements is like getting a yearly physical exam. Without an annual physical, the business might find itself stricken with a regulatory disease that is hard to treat or too late to cure.
Anupam Sahai is the president of eGestalt Technologies, a provider of IT security, governance, risk management and compliance (IT-GRC) solutions based in Santa Clara, Calif.