HIPAA Security Rule Checklist: Is Your Cloud Provider HIPAA Compliant?
Insurance and healthcare providers are subjected to strict regulations and policies due to privacy laws set in place to protect patient data. That is why it is critical for these organizations to abide by the rules and standards outlined by the Health Insurance Portability and Accountability Act (HIPAA). If you’re sending data to the cloud, you need to make sure you choose a provider who can abide by all of the regulations set forth by HIPAA. So how can you ensure that your cloud provider is HIPAA compliant? Here are some important factors to consider.
HIPAA Security Rule Checklist
Business Associate Agreement
The first step of the HIPAA security rule checklist is signing the Business Associates Agreement (BAA). It’s essential that your cloud provider be able to sign your BAA, which is a required component of ensuring HIPAA regulation compliance in the cloud. If your provider is unable to do so, it’s best to move on to a different provider.
The Location of the Data Center
In order for your cloud service provider to be compliant with a number of strict regulations, they must be able to show where your data is at all times. That means your provider should be able to document the location of the data center where your data is kept, which could be a factor that gets brought up in the case of an audit. Many regulations require data to be located within U.S. territory due to privacy law standards and potential legal issues when it comes to keeping such data in foreign territories.
Data Access Controls and Regulations
Your cloud provider should be able to demonstrate a number of different system and data access controls. Especially during an audit, the cloud provider needs to show exactly how user access to critical data is both controlled and consistently maintained -- this includes access to the data center, facility equipment, systems and more; access to customer data needs to be limited solely to properly authorized individuals.
Data Encryption in Flight and at Rest
One of the most critical components of keeping data protected and HIPAA compliant is data encryption. Your cloud service provider needs to encrypt data in flight, at rest and during transmission via industry standard SSL transmission. Continuous monitoring of systems availability as well as SLA compliance is also a must when it comes to maintaining compliance. Real time data validation to ensure data is complete and correct is also important to provide.
Ongoing Auditing and Reporting
A HIPAA compliant cloud service provider has to show that their organization undergoes ongoing log and security reviews, which help ensure that data, systems and environments are safe and protected at all times. Such reviews could include monthly or quarterly engineering reviews, third-party audits and access reports.
Employee Access Controls
How does the cloud provider control employee access to HIPAA compliant data? The provider should be able to demonstrate that they do thorough background checks of employees who have access to client data, as well as regular security reviews as policies change over time.
Making sure your provider is compliant with HIPAA regulations when you initially hand over the keys to your data is an important first step, but keep in mind that maintaining compliance doesn’t stop there. Policies and regulations are constantly evolving, which means you need to stay on top of those changes in order to avoid a serious data protection incident.
To get more information on keeping data secure in the cloud, get the full HIPAA security rule checklist.
See how Zetta does secure backup and restore.