The HIPAA Privacy Rule is located at 45 CFR Part 160 and Sub Parts A and E of Part 164 of the Act. The rule stipulates that individual medical records and other personal health information shall be protected by health plans, health care clearing houses and those health care providers who conduct health care transactions electronically. The rule requires that these organizations create appropriate safeguards to protect the privacy of personal health information. Disclosure of health information cannot be made without patient authorization and patients have the right to their health information, including a right to obtain a copy of their health records or request any corrections to the records.
HIPAA provisions automatically extend to the service providers who are viewed as business associates of the health care provider. The level of security required for private information does not decrease because the cloud service provider does not directly deal with the health information or does not have access to the information. Furthermore, all regulations regarding the protection of health information and consequences of breach or notification of breach apply to the service provider as to the principal. Support for this is provided by the Health Information Technology for Economic and Clinical Health (HITECH) Act. Consequently, Cloud service providers that host data from health care providers are compelled to align their services with the requirements of HIPAA to remain competitive in their niche market and provide the kind of secure services their customers are looking for.
It follows that cloud service providers dealing with the HIPAA provisions must remain aware of the emerging provisions of HIPAA. They need to understand and appreciate that their customers need to comply with three main provisions of HIPAA and must ensure that their software enables them to do just that. They must take on the substantial challenges posed by the Act and must create modular software programs that are capable of being modified to accommodate the different changes that are made to HIPAA every year with a view to reach appropriate standards of practice. They must also align their software to accommodate the different state laws and regulations that have a bearing on the handling of patient information.
The three major provisions of HIPAA that must be integrated into any cloud service software are:
- Maintenance of confidentiality, integrity and availability of personal health information that is created by the health care provider.
- Protection of the information against any reasonably anticipated threats or hazards to the security or integrity of the information while it is being transmitted to or resides in their storage servers.
- Protection against disclosure or loss of the information that is transmitted to or stored in their data repositories.