HIPAA Cloud Hosting: Avoiding Compliance Pitfalls

Posted by Rebecca Santorios on January 7, 2016

HIPAA compliant cloud hosting ensures that vital healthcare data is available whenever and wherever you need it. However, there's a lingering perception that the cloud is a compliance risk, especially in the face of high profile, large scale security flaws like Heartbleed and the recent Internet Explorer bug. The risks associated with a security breach are real, but by taking the right steps, covered entities and their business associates can ensure that they're fully protected.

Start with a risk assessment

The OCR reports that this is one of the biggest compliance shortcomings of the entities they've audited, and they plan to start taking a closer look at these too. A thorough risk assessment actually helps you make sure you have the right controls in place for your system. The risk assessment shouldn't be boilerplate – it serves as the driver for determining what you need for your health IT solution.

An experienced HIPAA compliant hosting provider will have an up to date risk analysis for their datacenter, saving you time in assessing their infrastructure. They'll also have a certified compliance team to help with the specifics for your system.

Keep it in the cloud

HIPAA compliant hosting helps you avoid one of the most common security pitfalls - lost and stolen devices. These are the most frequent cause of breaches involving electronic devices, based on data reported on the HHS website. By keeping your data in a secure cloud environment, you avoid this risk. Your health IT solution should keep your data behind your secure firewall, not stored locally on laptops or other devices that can easily be lost or stolen.

Encrypt your data

Keeping your data encrypted is fundamental for HIPAA compliance. This single aspect of HIPAA compliant hosting affords a covered entity immense protection from compliance failures. Security is improved, since fewer individuals will be exposed to protected health information. Furthermore, encryption can help a covered entity avoid notification if a breach does occur, since it ensures that ePHI isn't compromised even if files are accessed by an unauthorized individual. This can translate to a huge savings – by avoiding fines and secondary costs due to a damaged reputation.

Put a solid BAA in place

The Omnibus rule expanded the liability for business associates themselves, but covered entities are still held responsible for the actions of their BAs. Like a risk assessment, a Business Associate Agreement is more than a regulatory requirement, it also helps to protect covered entities by clearly delineating a cloud provider's responsibilities, particularly how they'll handle the entity's ePHI, and notify the entity in the event of a breach. A thorough BAA helps ensure that you and your partner are compliant.

ByteGrid is the leader in HIPAA compliant hosting. We have years of proven experience providing high-availability IT services to some of the most sensitive regulated customers. Our data centers were designed specifically for compliance. We have rigorous security controls, including advanced intrusion detection and monitoring, to protect against security threats.

Compliant hosting is our specialty. Partner with us today and let your organization experience the security and productivity that HIPAA compliant hosting provides.