HIPAA vs. the Cloud
By Chris Witt
If you are involved in HIT, you know all about HIPAA and the responsibility it puts on organizations to protect patient information. In HIPAA’s early days, there were only general guidelines and required outcomes to help direct IT departments in reaching compliance. The fact that most organizations maintained a “closed” system, meaning they had their own data center with very little data being exposed outside of the organization, made compliance relatively simple. Our biggest worry was the tape media being rotated out to our favorite offsite storage facility. Over time, data center strategies have evolved to include collocation and managed services. While this has added some complexity to HIPAA compliance, you still know exactly where your data resides and have a good idea of who could potentially access it from the third-party provider. Now cloud computing has been added to the mix of service options. This adds some interesting HIPAA compliance challenges since absolute end-to-end control of the data is no longer ensured.
Challenges in the Cloud
For the sake of this discussion, we are only concerned with the concept of a public cloud. A private cloud that is served from your own data center is no more a concern than delivering services from traditional non–cloud-based servers. For HIPAA, data privacy is a key component. In order to maintain security, you need to know where your data reside, take precautions to preserve privacy, and employ mechanisms to audit access. In the cloud, servers, network, and storage are designed to be abstracted, which means you do not know where things physically reside.
Getting data to and from the cloud is not terribly challenging. Today, most organizations move data securely over the public network (aka the Internet) using various encryption methods such as virtual private network tunnels and secure SSL Web communication. Once the data reach the cloud, they become a bit more problematic. Ideally, all data would be encrypted from end-to-end including storage. However, few healthcare application vendors support this. So, in the cloud, you will have numerous people with access to the physical servers and storage that you have no control over. Since complete control of the data and cloud computing seems to be in conflict, certain precautions need to be employed. Given the current absence of industry-wide certifications that would ultimately provide legal protection, the organization needs to negotiate a strong contract with the cloud provider that protects its interests. The cloud vendor should also be required to provide detailed reporting that includes all access to the servers and storage by anyone within their organization. The contract should include strong financial penalties to help incentivize the vendor and indemnify the healthcare provider in case there is a breech.
HIPAA, HITECH, and Meaningful Use Implications
Let’s look at the HIPAA and cloud question from a different perspective. In 2009, the ARRA expanded HIPAA to include the HITECH Act and meaningful use provisions. Organizations are now positioning to attain meaningful use in order to capture the incentives allocated by the federal government. In a few years, that carrot becomes a stick, and reimbursements will be in jeopardy for those who are not in line with the meaningful use provisions. The increased use of technology solutions in delivering clinical care as put forth in meaningful use is putting additional stress on IT departments. Most healthcare organizations cannot provide basic data center services in line with fundamental best practices let alone operate a data center that approaches 99.999% availability. This means that most organizations are at risk for unscheduled outages. In an environment that is increasingly dependent on technology availability, this is becoming a life or death situation. Fixing the problem is expensive and, in general, healthcare providers should not be in the data center business—but that’s another story.
Cloud computing can provide a cost-effective solution for organizations needing to attain a certain level of availability but not wanting to invest the capital to build it on their own. With a cloud vendor, you in effect “rent” server, virtualization, network, storage, and security experts rather than having to keep them on your own payroll. Some of these folks are in high demand and can be expensive to hire.
When discussing high availability of clinical applications en route to achieving meaningful use, one must include infrastructure. If you are going to meet uptime requirements, you will need more than one data center. Undertaking the infrastructure work yourself will double your overall capital investment in data center infrastructure. This is another area where the cloud shines. An attribute of the cloud is rapid provisioning and deployment. You are able to change compute capacity as demand changes. In the cloud, server instances can also be quickly moved to alternate hosts or clustered to provide redundancy in case of failure. This is the easiest and least expensive way for even the smallest organizations to achieve what has historically been within the reach of only larger integrated delivery networks.
HIPAA Compliance and Cloud Computing—The Bottom Line
The bottom line is that cloud adoption and achievement of HIPAA compliance do not have to be in conflict. As with any evolving or new technological solution, it is critical for organizations to perform their due diligence so they fully understand not only the technology, but also how it impacts their environment. IT must develop the necessary skills or engage the assistance from a trusted advisor. They cannot shy away from new technology because they do not understand it. The cloud is here to stay and can provide a financial advantage to those who embrace it.
— Chris Witt, CEO, president, and cofounder of WAKE TSI, oversees data center and infrastructure-architecture relationships with some of the nation’s best hospitals, health networks, payers, and university teaching and research institutions as well as many large organizations in the commercial, federal, and state business sectors.