How to Verify Your Cloud Service Provider is HIPAA Compliant

Date posted: 29th September 2015

Many HIPAA covered entity continue to maintain their own data center forgoing the cloud to ensure they remain within compliance requirements. For highly regulated industries including healthcare with strict HIPAA requirements there are barriers and challenges to Cloud Migration.

How can healthcare providers achieve a balance between meeting the requirements of being a covered entity and taking advantage of the benefits of Private/Public/Hybrid cloud migration?

To help healthcare providers learn how to verify their cloud service provider is HIPAA compliant we have outlined a 10 step checklist below:

How to Verify Your Cloud Service Provider is HIPAA Compliant

1. Policies: Your cloud provider must have a security program that meets the specific policies and procedures outlined by HIPAA for covered healthcare entities.
2. Resources: Your cloud provider must staff a dedicated person on-site whose job is to be responsible for matching the cloud service provider offerings with the latest requirements for HIPAA covered entities.
3. Access Controls: It is vital that your cloud provider has access controls in place that include electronic identification and limit physical on-site data access to a restricted list of people.
4. Transmitted Data Encryption: Unless the provider is processing your data, the cloud provider cannot offer security at the point of input, but it can ensure that the transfer of that data to and from the cloud is encrypted and secure.
5. Stored Data Encryption: If the cloud provider is storing healthcare data on hard drives, that data must be encrypted and each drive accounted for and access controlled at all times. That includes any backup copies of the data as well.
6. Logging and Monitoring: For cloud providers to be HIPAA-compliant, daily operational procedures that log and monitor the data in the cloud 24/7/365 looking for any suspicious activities are a must. Some use Security Operations Centers for this purpose.
7. Breach Notifications: In case of a security breach, cloud providers must have an incident response process that includes procedures for containing the incident and notification of HIPAA Covered Entities and associated stakeholders.
8. Cloud Disaster Recovery: A cloud provider should have a plan to address the recovery or continuation of technology infrastructure critical to a Covered Entity after a natural or human-induced disaster.
9. Data Location: HIPAA requires data to be stored in a United States based cloud service provider. Storage in a foreign country is prohibited because data access then becomes subject to that countries’ laws and regulations.
10. Track Record: Make sure you choose a cloud provider or Cloud Managed Services provider that has a proven track record, references and case studies of successfully managing cloud services for other healthcare clients. You want a provider that has a security awareness  and penetration testing program for its entire organization in place so everyone there is aligned.

Read More about Netfast Cloud Managed Services