For the past few years, cloud security has become a topic of increasing attention and relevance as consumers find themselves concerned over the safety of their personal information. Recently, HyTrust Inc., a leading security firm, announced the results of a survey conducted to analyze how healthcare and biotech organizations protect the data they store in the cloud.
HIPAA regulations dictate that health information stored electronically must be protected, meaning unable to be linked to a specific individual. Protected health information falls into three categories:
Any information of this type becomes electronic protected health information (ePHI) if it has an identifier that ties it back to an individual. There are 18 types of identifiers: some are obvious such as name, address, social security number; some less so, like a health plan beneficiary number, a serial number for a vehicle, your electronic devices, even a voice print.
In October 2016, the Department of Health and Human Services released updated HIPAA cloud computing guidance. In doing so, their goal was to help covered entities, business associates, and cloud service providers understand their HIPAA obligation to protect ePHI.
The guidance provides a complex Q & A including
- the relationship of cloud service providers to covered entities and business associates
- storage protocols
- encryption/decryption practices
- reporting of security incidents
- the use of mobile devices to access ePHI
HIPAA regulations do not specifically require data encryption for ePHI; instead qualifying it as an addressable aspect of ensuring that ePHI is protected. However, encryption is clearly integral to compliance with HIPAA’s Security Rule, which states that ePHI must not be available to those unauthorized to have it.
The HHS guidance states that while encryption alone “cannot adequately safeguard the confidentiality, integrity, and availability of ePHI as required by the Security Rule,” it does protect ePHI by “significantly reducing the risk of the information being viewed by unauthorized persons.”
As a best practice, healthcare organizations should regularly review their safeguards and procedures to ensure that ePHI is secure and that encryption is in place.