The Cloud and the Newly Finalized HIPAA

Image of Padlock and Key

With the Cloud taking IT by storm, it is time to think a bit about HIPAA.

As a result of the HITECH act of 2010, HIPAA has been tweaked as a final rule that has gone into effect last March. In terms of compliance and liability, now third parties (and those hiring those third parties) usually referred as “business associates” are now clearly liable for HIPAA violations.

In my experience, it is often the case that “a business associate” of a cloud provider can easily be overlooked in terms of HIPAA. For example, if a cloud-based solution is maintained by a third party, and say the backup services are subcontracted or handled by another division of the cloud provider, and then say another party is used for an aspect of say, off-site backups or the like, it is not uncommon to accidentally omit this party as a “business associate” given it is many times removed from the “owner” of the cloud…

Technically encrypting data at rest, protecting keys, and following best practices indeed provides a safe harbor in legal terms. However, the risk of say a disk being stolen somewhere from the cloud infrastructure is perhaps the least of the concerns here… Unauthorized access to the cloud infrastructure is the worry given the cloud might not be totally “private.” It could even be a public cloud!

Key management and a continuous technical effort to ensure that each cloud customer’s data is partitioned from everyone else is critical. Given an organization interacts all over the place with the cloud infrastructure, the use of encryption keys, and how to keep them safe from other users of the cloud, or of the personnel that implements the cloud storage is vital. Even if the keys are safe, if other third parties and customers employing the cloud can get at your data, then your data is much more vulnerable in spite of it being encrypted. The Cloud provider needs to make sure that there are technical safeguards that isolate each customer’s data from unauthorized access.

[box type=”shadow”]

For more information on the updates to HIPAA see this link in as well as Gilad Parann-Nissany’s comments on Cloud and HIPAA.


post in the Healthcare Scene LinkedIn Group.
Image courtesy of phanlop88,

Comments are closed