information access – Cooper Mann Consulting

HIPAA Privacy and Security and the Cloud

Is your cloud solution or hosting service HIPAA compliant? This is among the most frequently asked questions from professionals shopping for cloud hosting service. Unfortunately, it is also among the questions most frequently answered with ambiguity, or with naiveté. The problem is that many businesses dealing with HIPAA compliance responsibilities as it relates to protection and security of personal health information may not fully understand their responsibilities as they extend to outsource IT and other service providers. In the case of HIPAA compliance, many providers suggest their compliance without truly understanding what it means, and are introducing significant risk to their business and subscribing customers because of it. With recent changes in rules relating to protection and control of personal health information, it is not just the health care provider, the health plan, 3^rd party administrator or others that process health insurance claim information which must agree to provide adequate controls – the requirement may fully extend to business associates of these entities… possibly including their cloud service or hosting solution providers.

Some of the largest breaches reported to HHS have involved business associates. Penalties are increased for noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation. The changes also strengthen the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification requirements by clarifying when breaches of unsecured health information must be reported to HHS. http://www.hhs.gov/news/press/2013pres/01/20130117b.html

HIPAA guidelines and rules exist to protect and secure personal health information, a requirement growing in importance with advancements in technology, electronic health records, e-billing solutions, and cloud computing adoption. Where the regulations were once focused on the entity directly involved in generating or processing the information, the view is now extended not only to 3^rd party administrators, but also to the technology solutions and providers involved. When a “covered entity” (an entity with a responsibility to protect and secure personal health information [PHI]) makes a decision to move this information to the cloud, a number of important and complicated issues must be addressed in the agreements with the service or solution provider. These issues include security and privacy of information (including providing individuals the right to access and request changes to the stored information), tools which may be provided to allow the customer additional security protection, encryption of data at rest and in transmission (and who holds the keys), data location, return of data, disaster recovery, and service levels.

Cloud provider contracts and business associate agreements with cloud providers are not one-size-fits-all and should be negotiated carefully to protect PHI in a manner that accurately reflects the capabilities of the parties http://www.americanbar.org/content/newsletter/groups/labor_law/ebc_newsletter/12_winter_ebc_news/ebc12winter_cloud.html

The provider delivering cloud hosting services to the business may now be considered to be a “business associate” under HIPAA, meaning that the responsibilities of the Customer (the “covered entity”) also extend to their service provider. For any business operating under a HIPAA compliance requirement, moving to the cloud must necessarily involve a detailed discussion and set of agreements that spell out the “business associate” relationship as well as the details of the service delivery and accepted performance levels.

Joanie Mann Bunny Feet Make Sense?

The True Cost of the Cloud

Excerpt from article on Intuit Accountants News Central: The True Cost of the Cloud

“Accounting professionals are strongly encouraged to adopt cloud computing models in their practices, and there can be little argument that mobility and access are driving the need. In concert with the messages supporting mobile access to business information – and the value of anytime, anywhere access – cloud service providers are strongly suggesting that the overall cost of purchasing and maintaining information technology (IT) in the business is much lower when a cloud computing approach is used.

Arguments over the total cost of IT and related services become somewhat subjective. Many business owners and managers fail to consider the value of their own time spent dealing with business technology issues, much less the time spent by in-house employees and remote workers. To further complicate the issue, dramatic changes in process support and delivery, connected service and cloud computing approaches are impacting business productivity and profitability in new and dramatic ways. As a result, every business should consider the costs and the benefits of this new connected and collaborative working model.

At the core, cloud computing is really just an outsourced IT service that addresses the various levels of application and computing infrastructure. From IaaS (infrastructure as a service) to SaaS (software as a service) and all things in between, a viable cloud computing approach for a business may encompass little more than co-location of physical server and network resources with a third-infrastructure provider to something much larger scale, such as offloading virtually every aspect of application management and delivery to a SaaS solution.

Because there is no single, correct definition of what makes up a “cloud” service model, attempting to compare costs directly to a more traditional IT approach is quite complicated.”