I feel bad for IT professionals in the healthcare space. Think about it: their budgets are squeezed by bureaucrats at every turn, they are constantly struggling to coerce Luddite doctors and surgeons to adopt technology, and merely “keeping the lights on” is quite literally a matter of life and death for patients. In no other industry does IT face this kind of relentless pressure and general all-around thanklessness.
Now think about the cloud and all that it offers: reduced infrastructure, minimized complexity, and simple pay-per-use licensing structures. But does healthcare IT see it this way? Goodness no! Healthcare CIOs are scared to death that moving any protected health information (PHI) into the cloud in any way, shape, or form will bring the wrath of the HIPAA gods down on their bedraggled heads.
In other words, healthcare legislation is once again prohibiting the entire industry from fulfilling its own mandate of improving customer care through technology while reducing the cost burden on patients and taxpayers alike.
And it doesn’t matter what kind of cloud solution it is, be it CRM, storage, instant messaging, or whatever. People are scared to use them in healthcare settings. In fact, a 2012 study by KLAS Research found that although nearly 60% of healthcare organizations were willing to use cloud applications of one kind or another, only 35% planned to put critical apps into the cloud. That is serious hesitation, my friends, and the epitome of a catch-22 given that healthcare orgs must meet the requirements of Meaningful Use.
So what to do? Well, there are in fact ways to go cloud whilst remaining HIPAA-compliant. And here is the biggest reason why: any cloud service provider (CSP) you do business with, and who has access to your PHI, is bound by the terms of the Business Associate Agreement (BAA) that they sign as part of the contract with your organization. By the way, you can find appropriate BAA wording here (as always, please consult with your in-house legal counsel).
Thanks to HIPAA’s Omnibus Rule, any business associate (BA) who signs that BAA must now be compliant with HIPAA in the exact same ways as any hospital, clinic, care centre, and so on. The business associate must also notify you in the case of any breaches where PHI may have been viewed, stolen, deleted, etc.
Of course, this approach is not without its own risks. Both you and the CSP you’ve entered into the BAA with are equally liable for any violations against HIPAA rules. So be very careful which CSP you approach, or vice versa. If a CSP wishes to alter the BAA in any way that would lessen their own HIPAA obligations, or if they refuse to sign the BAA altogether, walk away. It’s not worth the aggro.
A good CSP will be very transparent about their willingness to work with HIPAA-compliant organizations. Salesforce.com is a great example of how a CSP provides the appropriate level of public-facing detail regarding how they maintain compliant levels of control when handling sensitive customer data. Other CSP issues to consider are:
- Location: Where does the PHI live? Which jurisdictions does it travel through?
- Breach: What does the CSP do to prevent data breaches? Can they react quickly?
- Access: What access controls does the CSP have in place? Are duties segregated?
With a little due diligence, a solid BAA, and a healthy dose of common sense, IT leaders in the healthcare arena can adopt cloud services and applications, and finally begin reaping the benefits of the cloud. Happy hunting! Info-Tech’s Cloud Strategy Development Blueprint discusses compliance risks and planning to mitigate those risks. Also see Implement a Data Integration Strategy in the Cloud and Federate IAM for and from the Cloud.