Are Your Cloud-Based Services HIPAA-Compliant?

St. Elizabeth’s Medical Center (SEMC) in Massachusetts has learned the hard way that their file-sharing services were not.

In a July 10th bulletin, the Office of Civil Rights announced that a settlement was reached with St. Elizabeth’s Medical Center for potential HIPAA violations, requiring the organization to pay $218,400 in fines and address shortcomings in its HIPAA compliance plan.

The investigation was launched after a 2012 complaint by hospital employees that the medical center was using an Internet-based document-sharing program to store protected health information for nearly 500 people. Since the risks involved in this practice were not fully analyzed, SEMS was found to be non-compliant with HIPAA regulations. The large fine also results from a separate incident involving an SEMC employee whose personal laptop and USB drive were stolen. The missing items contained unsecured ePHI for 595 individuals.

OCR Director Jocelyn Samuels said, “Organizations must pay particular attention to HIPAA’s requirements when using internet-based document sharing applications,” in the recent bulletin.

As Covered Entities continue to move more ePHI to the cloud, the proper steps need to be taken to ensure that this information is not compromised. All cloud-service providers are considered Business Associates, and as such, a Business Associate Agreement should be in place. Under the Final Omnibus Rule, the cloud-service provider must be compliant with relevant HIPAA Privacy and Security Provisions, including carrying out a formal risk assessment to address areas of vulnerability. Cloud-service providers are required to report any breaches of ePHI, as well as provide annual training for employees on how to handle and protect ePHI.

Covered Entities should therefore choose their cloud-service providers wisely. Any provider can call themselves “HIPAA-ready”, but look for one that is “HIPAA-audited”, meaning it has undergone an independent audit following the OCR HIPAA Audit Protocol.

To make certain that you are up to date on all the latest government mandates and standards, excellent professional training companies exist. Avoid being placed in situations like SEMC by ensuring that your organization is fully HIPAA-compliant.