Despite the fact that the cloud offers healthcare providers, facilities and organizations substantial relief and efficiency, the industry has been slow to transition data to cloud storage. Most of this apprehension can be traced to concern about remaining HIPAA compliant in the cloud and the sometimes-literal life and death need for constant data accessibility.
But as the healthcare sector converts from paper medical records to electronic health records by the government mandated 2015 deadline, the benefits of cloud-based solutions are becoming increasingly difficult to overlook.
Now that data center operators and cloud-service providers are more definitively classified as Business Associates with recent HIPAA modifications, the healthcare industry is turning to external vendors at an unprecedented rate.
For healthcare technology decision makers, it’s important to remember that a signed Business Associate Agreement (BAA) between you and a cloud-service provider doesn’t absolve you from responsibility in the event of a data breach. You’re still entrusting an external vendor with highly confidential digitized patient data and your overall reputation. This shared accountability must be considered as you choose a cloud vendor to work with.
Here are a few suggestions to ensure you don’t get shark bit in these unchartered waters:
Be Thorough in Your Vetting Process
Do you homework to ensure that the vendor’s services are up to par with the needs of your office, organization or facility. Having the vendor complete an extensive questionnaire is a good way to assess their capabilities and gauge their comprehension of audits, encryption, and data security.
Stress Importance of HIPAA Compliance and Hold them Accountable
Ideally your vendor has worked in the healthcare industry before and fully understands HIPAA requirements. If your vendor is inexperienced with this vertical and these regulations, their responsibilities when it comes to HIPAA compliancy must be clearly communicated and understood. Oversight remains your responsibility and you must ensure they’re ready to fully comply before proceeding. Be sure that line items for data recovery, data replication and backup solutions, and penalties for unplanned outages are ironclad and clearly agreed upon prior to signing a contract with any vendor.
Always remember that any cloud service provider you use should willingly sign a BAA to confirm shared accountability as a business associate. If they refuse to sign a BAA, it is best to seek out another vendor.