Many VARs are looking to profit from health care-related cloud storage services. But with profit comes responsibility. Whether you build your own or offer another's service, the U.S. Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Act dictate that you guard protected health information (PHI) in the custody of your client. HIPAA and HITECH (which is a set of add-on rules that extend the reach of HIPAA) require more than just a guarantee of PHI privacy and security: They dictate that PHI be portable, available to doctors for patient treatment, error-free and that access to it be recorded.
The liability for breached, misused, damaged or lost PHI can be astronomical and long-lasting, and it seems clear that we have only begun to see the ramifications.
As a cloud storage services provider or broker, you are classified as a Business Associate under HIPAA and therefore subject to HIPAA regulations. Failure to secure PHI can expose you to significant remediation expenses and penalties and subsequent damage claims. While HIPAA doesn't allow private action, the federal Office for Civil Rights and states' attorneys general can take action under HITECH, and some states allow patient suits under their state laws. Defending against those claims -- for instance, from a patient who couldn't get proper treatment due to a lack of historical information or from someone who didn't get a job because his health information was made public -- could bankrupt your company. If you're not fined by the government or sued by a patient, your client could fire you or sue you themselves.
So what should you do to provide HIPAA-compliant cloud storage services?
First, call your lawyer. Then, any time a new process or technology is introduced that could degrade the security, availability or integrity of the PHI, both you and HIPAA-defined Covered Entities (which, for the purposes of this article, refer to your customers, the health care providers) are required to complete a risk assessment. The Covered Entities are also obligated to verify that you, their Business Associates, are following HIPAA's Security Rules as they relate to the PHI you are entrusted with.
Failure to complete reasonable risk assessments and to verify Business Associate compliance can result in post-breach "willful neglect" accusations and mandatory fines of $50,000 to $1.5 million. In fact, a simple complaint to the U.S. Department of Health and Human Services can result in an investigation and fines. And Security Rule obligations cannot be waived through outsourcing. Even if you simply referred the client -- but failed to complete proper due diligence and subsequently advise the client -- you could find yourself on the losing end in a lawsuit where everyone in sight gets included by an opportunistic lawyer.
More on health care providers and IT
Data loss, damage or long-term inaccessibility is an undeniable risk of cloud computing. But, worse than that, such an event would likely be a violation of HIPAA on several levels. We saw some cloud failures in 2011, such as incidents with Google Docs, Microsoft 365, Amazon EC2 and BlackBerry. But more ominous is the U.S. Department of Justice's move to shut down MegaUpload in January 2012. It should shake us all to the core because it's evidence that an outside force could swoop in and shut down your hosting provider. According to MegaUpload's lawyer, up to 50 million users are without access and at risk of data being deleted. Totally legitimate businesses (some major) and users have not had access to their information since the January government raid, and they might never recover.
In public, private, hybrid or community clouds, due diligence will be key to survival. There are steps you can take to provide HIPAA-compliant cloud storage services, to protect both yourselves and your clients:
- Conduct a risk assessment, work with your clients to conduct a risk assessment and ask your hosting providers of choice to complete a risk assessment questionnaire.
- Find out if the hosting provider you've contracted with is commercially viable and whether they possess the financial resources to maintain the system properly.
- Obtain diagrams of the hosting provider's infrastructure and system design to be sure it is adequately designed and professionally documented.
- Obtain documentation of the provider's most recent security assessments done by independent organizations.
- Get real references from other VARs or MSPs in the health care space and call them. It's better to spend time now asking questions rather than explaining a failure later.
Finally, ask your hosting provider the following questions:
- Do they have qualified technical staff?
- Is their staff vetted and free of criminal history?
- Do they own their infrastructure and is it adequate for the purposes?
- If they do not own the infrastructure, can they provide assurances that the infrastructure meets compliance requirements and that staff members have no criminal records and are technically qualified?
- Are they providing adequate encryption in transit and at rest?
- Are they moving data around the world?
- Is data/equipment physically isolated/protected?
- Are they running a multi-tenant environment that could cause comingling of data or allow another tenant to gain access?
- Does their agreement include provisions to meet all applicable HIPAA Security Rules?
- Is the cloud co-located in a SAS 70 II or an SSAE 16 facility?
- Does the agreement describe how, in what form, for how much and for how long it will take to get your client's data in the event of a disaster or a contract termination?
- Be sure privacy policies state that the data is owned by the client and cannot be used by the hosting provider for any reason.
Kevin McDonald is executive vice president and director of compliance practices at Alvaka Networks, a network services and security firm in Irvine, Calif.