This article covers all the fundamental basics of HIPAA cloud backup compliance. More specifically, it discusses the essential principles of HIPAA, how and why HIPAA legislation is relevant to your cloud backup strategy, plus of course, how to comply with HIPAA when you’re backing up to the cloud.
What Is HIPAA?
HIPAA refers to the Health Insurance Portability and Accountability Act of 1996. The legislation itself protects personal medical information by compelling any party handling it to safeguard the data accordingly.
So, it’s extremely important to understand what the whole act entails if you intend to manage healthcare data.
And make no mistake about it. HIPAA doesn’t apply only to medical organizations and institutions, but also MSPs who happen to handle the corresponding data.
Chief HIPAA Regulations
All parties handling personal medical data are required to safeguard the privacy and confidentiality of every single piece of information. And this doesn’t refer to only electronic data, but also oral, as well as hardcopy versions. The rule fundamentally applies to all types of media.
Medical data should be adequately protected during storage and in transit. Its handlers are expected to persistently maintain its integrity and confidentiality.
Breach Notification Regulation
If medical data is breached, all handlers plus their associates are required to notify affected individuals in due time.
Primary HIPAA Terms
Protected Health Information (PHI)
This refers to all types of personal medical data safeguarded through the HIPAA Privacy Regulation. It includes oral, as well as paper and electronic information.
Electronic Protected Health Information (ePHI)
This refers to personal medical data that is stored or transmitted in electronic form. It should be handled carefully as stipulated by the HIPAA Security Regulation.
Covered entities are basically companies, organizations, and institutions that manage protected health information. In short, therefore, it means healthcare clearinghouses, healthcare plans, plus healthcare providers that facilitate the electronic exchange of medical data.
Business Associates (BA)
While covered entities are healthcare organizations, business associates are the service providers that subsequently gain access to personal health information. And because of that, they should protect the data just like their covered entity counterparts.
Business Associate Agreement (BAA)
Otherwise recognized as a business associate contract, the business associate agreement is a document that acts as a contract between a covered entity and the corresponding business associate. It’s intended to compel the business associate to adequately protect personal health information.
Organizations That Oversee HIPAA
HHS is the U.S. Department of Health and Human Services, tasked with administering the HIPAA system, along with other programs.
OCR is the Department of Health and Human Services’ Office of Civil Rights (OCR), which essentially enforces the HIPAA laws.
How HIPAA Applies to Cloud Services
As we’ve established already, a business associate is any service provider that obtains personal health information from healthcare providers, and then proceeds to maintain or transfer it in electronic form.
Considering these parameters cover IT companies, it’s obvious that cloud service providers serving healthcare organizations are also business associates. And that, of course, means they are expected to comply fully with HIPAA laws.
Now, the process of identifying compliant cloud service providers is not as straightforward as you might assume. If you’re looking for HIPAA certification, for instance, you won’t find any. The fact of the matter is, they don’t exist at all.
Seeking recommendations from the HHS won’t help you either. It turns out the organizations that oversee HIPAA don’t mention any compliant cloud storage providers.
And the reason is simple. Instead of being certified, cloud storage providers are only considered to be compliant after they’ve entered into a valid business associate agreement with their covered entity. They should subsequently observe both the agreement terms, as well as the accompanying HIPAA regulations.
Further reading Serving MSP Healthcare Customers: Tips and Best Practices
HIPAA Requirements for Data Backup and Recovery
When it comes to data backup, HIPAA defines three sets of security regulations that covered entities and their business associates should comply with. They include technical requirements, physical requirements, and administrative requirements.
Now, it’s worth noting that HIPAA outlines varying security standards for each of these sets of requirements. And that’s not all. It goes ahead and states both “addressable” and “required” specifications for every single security standard.
In essence, “required” specifications should be applied and executed as defined by the HIPAA regulations. “Addressable” specifications, on the other hand, happen to be less restrictive.
Consequently, business associates and covered entities are free to assess their individual conditions, and then come up with their own favorite methods of applying addressable specifications.
Read further to understand HIPAA requirements for backup: