Cloud Services and HIPAA Considerations

We read this morning that 20/20 Hearing Care Network (20/20) contacted over 3 million patients after a criminal accessed 20/20's Amazon Web Services cloud bucket and either deleted or downloaded the information contained.

Using external cloud providers or other information services can simplify a HIPAA Security program. As service contracts are established, a Business Associate (BA) relationship is created. Let's look at one example... a doctor's office uses Microsoft M365 fully, having no local servers or other systems aside from their workstations, and uses another, separate cloud-based electronic health record (EHR) system. All ePHI is kept either in the M365 environment or in the EHR. In this case, the doctor's office could reference these contracts in their policy and procedures and transfer the risks associated with:

§ 164.308(a)(7)(ii)(A), Data Backup Plan

§ 164.308(a)(7)(ii)(B), Disaster Recovery Plan

§ 164.310(a)(2)(i), Contingency Operations, and

§ 164.310(d)(2)(iv), Backup and Storage.

However, using cloud based services doesn't necessarily mean that the service is secure and both Amazon and Microsoft have "Shared Responsibility Model" web pages that spell out what is provided and what a client is responsible to configure or maintain. Most cloud service providers come "out of the box" with myriad security controls to protect ePHI - but the details are worth covering and assumptions can result in an unauthorized access event (i.e. a breach). We encourage all of our partner-clients to learn from this breach, to review their BA service agreements and to ensure that a thorough review of all security controls is performed in support of § 164.308(a)(8).

Stay (HIPAA) safe, Alan -