A few months back, we discussed the crucial role of data encryption in HIPAA compliance and the steep fines that can be levied from a failure to adhere to the letter of the law. This week, we take a look at some of the ways cloud computing relates to HIPAA-HITECH compliance and how you can reduce your risks when operating in the cloud. If your organization is one of the many wanting to take advantage of hosting or cloud services, you’ll need to ensure your company’s compliance. Not doing so could jeopardize your company’s data security.

As a HIPAA-HITECH compliant company, your first concern when migrating to the cloud is that all PHI (protected health information) and PII (personally identifiable information) will be secure. Before you settle on a managed services solution, you’ll need to know how your future cloud hosting provider will protect your data. If you select the right cloud provider, you may actually achieve a higher level of network and system security than you could achieve on your own.

The following are a few tips that will help you mitigate your risk:

Be Cautious to Avoid Bogus Claims

You should be wary of misleading claims such as “100% HIPAA” and “Guaranteed HIPAA Compliant” as there is no third party certification for HIPAA compliance. The only way for Business Associates processes to be determined HIPAA compliant is through an actual audit. You should ask for specific details about how a cloud hosting provider will handle your data ,whether it’s online or offline, as you are ultimately responsible for data security. They should be fully transparent about exactly how they secure your data and systems. Be sure your agreement with them also clearly defines what measures they will take and who is responsible in the event of a security breach of any PHI. Finally, it’s a good idea to ask if they are covered with data breach specific liability insurance, in addition to the regular E&O insurance.

Make a Plan for Upgrades

Another often overlooked consideration: what happens when you or the provider refreshes or upgrades equipment? If you choose a hosted option in which you own some or all of the equipment you will be using, how will you and your provider manage the hardware disposition and data destruction when you decommission or refresh your systems? Servers, storage systems and network equipment have IP addresses and other internal corporate network information stored. You need to be certain that all of this equipment will be reset in order to effectively protect the profusion of sensitive information.

Plan for Special Disposal of Hard Drives

Hard drives, of course, need to be erased or destroyed per your company policies. Ensuring that the entire process is secure, meets your company standards, and is HIPAA compliant is your responsibility. Make sure you know how your provider will manage this process and which outside vendors they may use. If you are selecting the vendor and managing the data destruction and disposal, you will still need to know how your cloud provider will securely move and store any drives or devices that have been decommissioned. Whether it’s your own data destru

ction vendor or one selected by your hosting company, that vendor should be NAID AAA certified.  An audit from OCR (Office for Civil Rights, Department of Health and Human Services) will use NIST 800-88 as a reference to determine if the process is acceptable.  NAID processes are comprehensive  and based on NIST 800-88, and each certified vendor is audited by an accredited third party twice annually
For other key strategies for risk avoidance and compliance in the world of ITAD and data destruction, download our free Guide to Minimizing the Risk of IT Asset Disposition.