The decision to go to the cloud for data storage and processing can be an exciting, if not daunting process. Many covered entities have found great cost savings and improved up time for their companies. That said, choosing a cloud provider is not without its pitfalls. While there are many considerations to take into account, here are some of the most important questions to ask.
Will your cloud provider sign a Business Associate Agreement (BAA)?
Business Associate agreements are required by HIPAA for any covered entity that obtains the services of an entity that performs functions or activities that involve the use or disclosure of protected health information. In addition to vetting any BAA for specific HIPAA requirements, you must ask your cloud provider whether they will negotiate a BAA, or if their BAAs are “take it or leave it.” Remember, you are paying someone to be the steward of your clients’ data and you can be liable for any breaches or damages that they cause.
Will your cloud provider disclose their physical and technical security policies for their facilities?
As a covered entity, you cannot complete your HIPAA policies without knowing exactly how your cloud provider restricts physical and digital access to their facility. Policies such as visitor badges, ID checks, and hardware monitoring are crucial to any security rule policies. Simply put, if they won’t share how they secure your clients’ data, why should you trust them?
When did the cloud provider last perform a security risk analysis?
Any cloud provider worth their salt will be able to provide their most recent security risk assessment and audit. Many companies perform these assessments several times a year. The follow-up question is to ask whether the cloud provider uses NIST standards when performing its risk assessments. The importance of verifying the type of assessment cannot be overstated, NIST guidelines serve as the foundation for any OCR investigation into a security rule related breach.
What breach notification procedures are in place when an incident occurs?
Many covered entities often overlook this issue and fail to set specific notification timeframes for security events, incidents, and breaches. Reporting requirements vary by state and entity, but some breach notification requirements are as short as 60 Minutes (Texas). Despite these tight notification timeframes, some cloud providers give themselves as much as 30 days before they are required to notify their customers of a breach. As part of this process, you should audit each state you are in and each contract you have to verify notification timeframes and procedures.
As with any new vendor, be sure to ask for client references and have your attorney review all legal documentation. Remember, you are liable for the actions of your business associate and your only protection is a well planned and crafted business associate agreement.
Related content:
- 10 Technology Tips to Avoid HIPAA Violations
- Most HIPAA Violations Stem From Network Server Breaches
- Essential Hardware for HIPAA Compliance in 2015
4 Questions Healthcare Practices Need to Ask Cloud Providers is authored by Hudson Harris, a HIPAA attorney and privacy expert—read more about the intersection of HIPAA and technology at his blog, Legal Levity.