HIPAA Compliance and the Cloud

Are you properly utilizing the cloud to store sensitive data?

I have always enjoyed their professionalism.
—Mobile Health Patient
HIPAA Compliance and The Cloud

The recent widespread adoption of cloud computing is revolutionary, but it doesn’t come without its share of complications. When electronic protected health information is involved, it’s imperative to know that security will never be compromised. Some cloud storage services, such as Dropbox and iCloud, are not HIPAA compliant. Dropbox retains metadata, which could include identifying information, and neither offers an option to sign into a Business Associate Agreement (BAA).

While services like Microsoft Office 365 and Google Drive are willing to enter into BAA’s, the large amount of sensitive patient data stored in, for example, a spreadsheet is susceptible to inappropriate access. A single user, in this case, would be able to access thousands of records, while only requiring access to a specified few. Additionally, the ability to synchronize entire folders across several devices renders the security of information ineffective in the event of a stolen or compromised device. The theft of just two unencrypted laptops last year resulted in a breach of 729,000 health records. In fact, physical theft accounted for over half of all breaches where 500 or more records were compromised.

The solution to reconciling the open, unrestricted nature of the cloud with sensitive health records lies in structured data. With a structured data set, businesses can ensure that each health record is only accessed by individuals with the proper permissions. This stands in clear contrast to file sharing, the basis upon which most cloud solutions operate. Files are downloaded locally, and become difficult to properly audit and secure.

Mobile Health’s proprietary web-based client portal takes into account the necessary precautions for cloud-based HIPAA compliance. The client portal is an electronic health records system that meets and exceeds all HIPAA regulations. This includes SSL-secured 256-bit encryption of:

  • Client Information
  • Correspondence
  • Databases

Furthermore, it utilizes a permission-based user design, which restricts each user account to only the data they are given access to.  You can assign custom permissions across four types of data:

  • Scheduling
  • Billing & Invoice
  • Medical Information
  • Background Checks

For instance, you can assign access to invoices for billing and coding specialists, while reserving the ability to view pre-employment screening schedules and medical information for recruiters. Within each category are more specific options, such as the “red code” for medical information, which you may only allow supervisors to view. The knowledge that your sensitive data is secure and only accessed within a set of clearly-defined borders goes a long way in establishing peace of mind in the new cloud-computing landscape.

Visit the Mobile Health Advantage page for more information.