By Philip Hedlund, vice president business operations, Carpathia
It comes as no surprise to most Americans that health information security is a major focus heading into 2015. With the drastic increase in the creation and sharing of electronic protected health information (ePHI) largely as a result of the Affordable Care Act (ACA), the federal government, states and health organizations are tasked with taking additional steps to ensure sensitive information is protected and compliance is maintained.
Recent reports from the Department of Health and Human Services (HHS) indicate that more than seven million people have enrolled in federal government’s insurance marketplace to receive health coverage. With the open enrollment deadline extended to April 30, 2015 we can only expect to see that number rise, and with it the amount of health information entering various electronic environments. Couple this fact with the desire of many organizations to take advantage of the cost, scale, and flexibility benefits of technologies such as the cloud, and the potential for security and compliance risk must be considered.
In response to the current environment, organizations are taking a new approach with the adoption of newer, highly compliant and secure community clouds that create a walled garden specifically for organizations handling ePHI. As a part of the natural evolution of the extranet, community clouds offer multi-tenant platforms that group customers based on their shared security and compliance requirements, making them ideal for the healthcare community.
The high cost of data breaches and compliance
According to a June 2014 HiMSS Analytics Cloud Survey, a notable 80 percent of health organization respondents reported they currently utilize cloud services. For the remaining 20% that were resistant to moving to the cloud, security concerns were cited as a primary barrier. With cloud adoption across the healthcare industry increasing, ensuring security and compliance in the cloud is paramount to limiting liability.
To put some context around the risk, 2014 figures from the Ponemon Institute show that the average cost of a data breach to a company is $3.5 million—that is 15 percent more than it cost in 2014. Those high costs are such that they could force some smaller health companies to close their doors if a breach should occur. And a hefty fine isn’t the only price a data breach or lack of compliance can bring—the leaking of sensitive health information can also do permanent damage to a health organization’s reputation.
Addressing the hurdles ahead
Heading into 2015, healthcare entities utilizing the cloud need to ensure their cloud service providers are operating environments that meet the strict requirements of the Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health (HITECH) and other laws that apply to healthcare organizations. Under HIPAA and HITECH, covered entities, and their business associates, that maintain protected health information in the cloud make the cloud provider a business associate, “even if the [cloud provider] does not actually view the protected health information.”* Sections 13401 and 13404 of the HITECH Act make those cloud providers—as business associates—directly liable for compliance with the Security Rule and the Privacy Rule. Therefore, organizations should do their due diligence to select a cloud provider that has a proven track record, is knowingly and willingly a business associate, and is committed to ensuring compliance with the Act.
“If you use a cloud service, it should be your Business Associate. If they refuse to sign a Business Associate Agreement, don’t use the cloud service,”
David Holtzman, Information Privacy Division, Office for Civil Rights during a speech at the Health Care Compliance Association’s 16th Annual Compliance Institute.
To ensure that the information your organization is collecting remains secure, look for cloud providers with good reputations and partners, and those whose environments are able to meet the security requirements for covered healthcare entities and their business associates – including healthcare providers, health plan administrators, and healthcare clearinghouses.
Achieving and maintaining security and compliance is not an easy task, but by employing and implementing a secure community cloud service provider, you can ensure that sensitive information stays protected and compliance standards are maintained.
*Quote from page 5672 of the Federal Register/ Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations