Health Insurance Portability and Accountability Act (HIPAA) compliance is mandatory. More so for Health care organizations where private data is shared by patients with their Doctor with in absolute trust. As a result, health care institutions that use cloud backup and the Internet have to be doubly careful that the data is secured against unauthorized access and the patients are not put into untold difficulties due to the carelessness of the staff or the inefficiency of the security protocols.

HIPAA prescribes standards for security of health information. Details of the prescribed standards are available in the “Standards for Privacy of Individually Identifiable Health Information” that was issued in 1996 by the US Congress as part of the ACT and made effective from July 1st 1997.  The rules confer a guarantee of privacy to the individual and a control over what information the patient wants to share with the Doctor. Patients can also request for a copy of the medical records, get corrections made, and concur or refuse to share the information with associates of the Health care provider.

The health care providers (described as “covered entity”) using cloud backup must ensure that the cloud backup vendor has put in place appropriate controls to secure patient information. Data transmitted over the Internet must be encrypted with algorithms that are unbreakable and hacker proof. Data residing in storage must be retained in an encrypted state and data that is marked for deletion must be deleted from all locations in which the data has been stored. Data that is recovered must be transmitted from storage to the client machine in encrypted format and only authorized personnel should be permitted to download or recover the data from the storage.  Under Health Information Technology for Economic and Clinical Health act, Cloud backup service providers have the same responsibilities as the Health care service provider under the HIPAA.

While critics of cloud backup point out that the encryption key is the most vulnerable part of the entire chain of cloud processing, the cloud is actually safer for health care providers. Health care providers need to ensure that the encryption key is stored safely and inaccessible to third parties. They need to evaluate the entire cloud backup processing chain and understand the vulnerabilities, guard against them with the help of their vendor who is equally bound by the law.