Seek Privacy, Security and Auditing Capabilities in Your Service Provider


In this second post on preparing your healthcare organization for cloud computing, I will address how healthcare businesses subject to HIPAA should carefully select a service provider with the capabilities to address HIPAA Privacy, Security, and Audit as well as provide secure, scalable, low cost IT infrastructure.

HIPAA’s Privacy Rule requires that individuals’ health information are properly protected by covered entities, meaning that patients’ “protected health information” (PHI) cannot be transmitted over open networks or downloaded to public or remote computers without encryption. Encrypting data in the cloud include standards for the encryption of all PHI in transmission (“in-flight”) and in storage (“at-rest”). The same data encryption mechanisms used in a traditional computing environment, such as a local server or a managed hosting server, can also be used in a virtual cloud computing environment as well as a complete firewall solution.

The Security Rule requires covered entities to put in place detailed administrative, physical and technical safeguards – such as access controls, data encryption, and back-up and audit controls – to protect electronic PHI. While data flowing to and from the cloud should be safeguarded with encryption, data that comes in contact with administrators or third-party partners may require different control mechanisms. To help you comply with HIPAA’s Security Rule, policies and processes regarding data and how to implement authentication, access, and audit controls must be in place to reduce the risk of a compromise from outside. HIPAA’s security safeguards also require:

  1. In-depth auditing capabilities,
  2. Data back-up procedures, and
  3. Disaster recovery mechanisms.

Service providers must be able to address these requirements. In designing a HIPAA-compliant system, you should put auditing capabilities in place to allow security analysts to drill down into detailed activity logs or reports to see who had access, what data was accessed, etc… This data should be tracked, logged, and stored in a central location for extended periods of time in case of an audit.

A major goal of HIPAA is to assure patients that their health information is properly protected while allowing the flow of information needed to provide and promote high quality healthcare for the public’s health and well being. The development of a business-focused cloud computing strategy, internal corporate data policies and an accompanying transformation roadmap can lead to the successful implementation of HIPAA applications and infrastructure in the cloud computing environment.

About the author

Jim has in-depth experience in assessing and managing complex IT Infrastructure engagements focused on helping corporations achieve their business objectives. He offers expertise in strategy assessment and development, statement of work, service level agreements, business-driven RfP development, transactions, contract negotiations and transition planning across IT Infrastructure areas and expertise in IT service management integration. Jim has worked with global enterprises in the automotive manufacturing, banking and financial services, healthcare, utilities, aerospace and retail industries, focusing on collaborative techniques with clients and service providers to achieve the desired business outcomes. He recently led the negotiation of a large infrastructure contract with a utilities company and a cloud computing transition. Included in this successful project was the development and execution of the sourcing strategy, assessment and transaction process and project management, negotiation strategy development and financial proposals and executive leadership communication. Jim is ITIL V3 Foundation certified and a thought leader on the topic of the digital workplace.