Considerations for Storing Electronic Health Information in the Cloud

In 1973, a fire at the National Personnel Records Center in St. Louis “destroyed 80 percent of the records held for Veterans who were discharged from the Army between November 1, 1912, and January 1, 1960.” Forty-eight years worth of records. Gone.

Today, most large-scale cloud providers guarantee availability of the information by backing the data up to multiple geographic locations in the cloud. Should one location be damaged or destroyed, a full backup from the secondary location can be used. But how much safer is it than traditional paper storage? Maybe not as much as you think.

There is no doubt that cloud storage vastly increases the availability of the information. However, an increase in availability often makes it more difficult to ensure confidentiality. This is especially important when dealing with personal medical records protected under HIPAA.

How do we ensure that our data remains private while still being readily available?

The US Department of Health and Human Services (HHS) already has guidelines for storing electronic protected health information (ePHI) in the cloud.

To summarize, the covered entity (the entity that must abide by the HIPAA rules) and the cloud service provider (CSP or business associate) must enter into a business associate agreement (BAA). The required contents of the BAA are :

1. Set the rules for what the business associate can do with the data.
2. The business associate can do nothing else with the data except what is in this contract and otherwise required by law.
3. The business associate will implement proper security controls for ePHI, including following the HIPAA Security Rule.
4. The business associate must notify the covered entity of any use or disclosure of data that has occurred, except those listed in the contract. This includes security incidents or breaches.
5. The business associate must allow data access to the covered entity in response to personal information requests from specific patients.
6. The business associate must comply with the same Privacy Rule that is applicable to the covered entity.
7. The HHS must have access to all practices and records of the business associate in regards to the data in order to verify compliance with HIPAA.
8. The business associate must destroy or return, when possible, all data at the termination of the contract.
9. Anyone that the business associate subcontracts that will have access to the data must also comply with the same rules as the business associate.
10. The covered entity can terminate the contract if the business associate violates any of these, or other HIPAA, requirements.

As far as the HHS is concerned, the BAA is the only special requirement for cloud storage of ePHI. After a BAA is signed, the normal HIPAA rules apply.

This agreement should prevent all data leakage, in theory.

Is this sufficient practice?

According to multiple sources, non-malicious human error is the cause of the vast majority of data leakage. It doesn’t matter how many regulations are in place, if an individual is poorly trained, then data is at risk. The data might be protected when no one is using it, but it may be sent to the wrong individual after a request, or an authorized viewer’s credentials may be compromised.

Should we store ePHI in the cloud?

Ideally, storage of ePHI in the cloud is highly beneficial for all parties. However, covered entities must provide proper training to the users with access to the data. I always encourage my clients at Slalom to only store the information necessary to their business. Storing information that you don’t need will simply be a liability. I also encourage comprehensive security awareness training on a regular basis, especially in cases where personal information may be compromised. While fire is less of a threat to information once it has been migrated to the cloud, information theft and data leakage are alive and well.