tips for securing ephi in the cloud
DESCRIPTION
When it comes to entrusting your electronic protected health information (ePHI) to a third-party cloud services provider, security is arguably the biggest concern. A lot of factors must be considered when looking for qualified providers you can work with and who want to work with you. Here are some considerations.TRANSCRIPT
Tips for Securing ePHI in the Cloud
When it comes to entrusting your electronic protected health information (ePHI) to a third-party cloud services
provider, security is arguably the biggest concern.
A lot of factors must be considered when looking for qualified providers you can work with and who want to
work with you. Here are some considerations.
covered entities are required to have three plans...
Under the HIPAA Security Rule,
1
...for recovering access to ePHI should the organization experience an emergency or a disruption of critical business operations: data backup, disaster recovery and emergency mode operation. Evaluate cloud services providers (CSPs) for the depth of their service capabilities and commitments in each context.
1
Data backup, disaster recovery and emergency operation mode...
The Three Plans -
2
...must accurately reflect the proceduresthat the organization actually uses. They must be updated as procedures change in order to remain relevant and accurate. Any changes the storage provider makes must also be reflected.
2
top-notch cloud security, it may not be neccessary to be...
Even if a CSP offers
3
...HIPAA Compliant.Look for providers that boast of HIPAA compliance and have them prove it. Ask for audit documentation.
3
a Business Associate Agreement (BAA) is table stakes for any CSP...
A willingness to sign
4
...Worth doing business withso make sure the one you are considering will do so.
4
states that CSPs (and other third-party provers...)
5
The HIPAA Security Rule
...(classified as business associates)have a framework in place to comply with HIPAA requirements. It’s up to you to ensure that is the case so get documentation from any CSP you work with that outlines this framework.
5
to ask a vendor to back up your data in its cloud...
It may seem unnecessary
6
...but don’t be lulled into complacency.Discuss retention policies and backup methods upfront with prospective CSPs. They should be able to meet your organization’s requirements and any regulatory requirements.
6
must be able to tell you precisely where your ePHI is...
Any CSP you work with
7
...Physically stored.Providers who cannot pinpoint data location or that rely on non-U.S. based storage are not HIPAA compliant. Know what the HIPAA requirements are in this regard, and make sure the CSP can meet them.
7
or attitudes toward data ownership and access.
Dig into a vendors policy
8
This can be crucialfor protecting your organization if your provider runs into business issues down the road.
8
access and attempted access to your data.
HIPAA requires that you audit
9
Work with your providerto ensure the hardware, software and/or procedural mechanisms that record and examine ePHI-related activity are implemented.
9
the data backup methodology you use and be certain...
Accurately document
10
...that it fulfills the HIPAA requirementto create and maintain retrievable exact copies of ePHI.
10
If you’re wondering which service provider has one of the industry’s most comprehensive compliance programs for
infrastructure, cloud and managed services, look no further than Peak 10 - in it with you, today and tomorrow.
Call to action here.