Open in app

Sign in

Write

Sign in

Managing Protected Health Information in the Cloud

Kohezion
6 min readApr 11, 2022

--

Often times when storing healthcare information in the cloud, a number of questions can arise regarding the safeguards put in place to protect this data, and how regularly security updates happen to prevent cyberattacks. So how would a company address these concerns surrounding safe cloud storage? Security measures taken by cloud service providers handling Protected Health Information (PHI) or HIPAA-compliant data are likely to be way more robust and powerful than what you have on your own personal device. Regardless, it is still extremely important for service providers to constantly maintain a high level of security and accountability when hosting PHI on its server. To recap, let’s go over some of the HIPAA basics, as these best practices and recommendations are based specifically on the handling of healthcare data.

So what is HIPAA and what personal data is covered by it?

HIPAA- The Health Insurance Portability and Accountability Act (HIPAA) was created in 1996 to prevent the disclosure of sensitive patient health information without knowledge or consent. HIPAA covers entities that directly deal with patient information (e.g. healthcare providers), and third parties who handle data on behalf of healthcare providers (e.g. medical insurance). There are significant fines associated with HIPAA breaches, whether they are intentional or unintentional.

PHI- Protected Health Information (PHI) can include, but is not limited to the following health information; diagnoses, medical history, treatment plans, test results, and patient prescription information.

For cloud service providers, there are a number of key considerations to ensure that client data is being stored in a secure and HIPAA compliant way by outlining liability, practicing data minimization, and enforcing data protection through technology design.

Liability

For cloud service providers, clearly defining and outlining liability for all parties involved is extremely important. There are a number of ways that businesses can mitigate liability and perform their due diligence including following industry best practices, such as stated in the terms of service, data destruction policies, and disclosure agreements.

Terms of Service

  • It is always important for businesses to have a clearly stated privacy policy and terms of service outlining the responsibilities and expectations for both parties involved
  • If one party breaches the terms of service, then the other party can terminate the agreement
  • For example, a software company offers a free trial for new users. When a new user signs up for the trial, they must agree to the terms of service which outline that the software is not HIPAA compliant with the free trial version. By accepting the terms of service, the user is agreeing to not store their PHI data in the trial version of the account
  • This limits liability for the cloud provider in the case of a data leak, should the trial user store PHI in the account.

Disclosure Responsibilities

  • As a data processor and not a controller, the cloud service provider should never, in any case, disclose information to a third party
  • For example, if a patient of a healthcare clinic directly contacts the cloud provider, they should be redirected to the healthcare clinic for questions concerning their data
  • The data processor’s role is simply to store data on behalf of the client and can limit liability by making this clear by including it in a service contract. How the data controller handles the disclosure is ultimately at their discretion

Data Destruction

  • Clients no longer using the cloud provider’s service may want to ensure that their data isn’t being stored after the end of the use term
  • To reduce the number of inquiries about the destruction of data and mitigate potentially mishandling it, it is in the best interest of a cloud provider to clearly state the length of time they will retain the data after an account has been static (e.g. 18-months), and how it will be disposed of
  • As a best practice, a software provider should include the data destruction policy in their privacy statement to address any questions that old account users may have

Data Minimization

To continue the conversation around data destruction, it is important to discuss the concept of data minimization. Data minimization is the process of ensuring the personal data being processed is sufficient and adequate; relevant to the purpose, and necessary; limited to only the information that is required to accomplish a specific task. By only collecting data that is absolutely necessary, a data controller, and thus a data processor will limit the information available in the event of a breach or cyberattack.

Data Regulators

  • For data regulators (such as cloud service providers), there are numerous risks associated with bad record management and retaining data for longer than necessary. Besides an obvious breach, other issues could arise internally if the information is kept, such as with old employee records and financial information
  • Immediately related to a clearly stated data destruction policy, regulators should never keep information longer than they need to in order to avoid accidental or malicious disclosure

Synthetic Data

  • Another strategy to support data minimization is to utilize artificial intelligence or synthetic data to perform important research without having to use real-life confidential information. This strategy works specifically in instances such as healthcare, where information is sensitive and protected by HIPAA but still required for research or big data insight
  • When there are privacy limitations such as HIPAA synthetic data can help medical researchers or institutions create shareable data and overcome these challenges
  • For example, synthetic data is used in clinical trials where the data sample size needs to be large enough to create control groups and effectively predict an outcome. It also would support collaboration among many researchers or different institutions

Reidentification/Deidentification

  • In contrast to synthetic data, data reidentification can support research by mitigating risks associated with using identifiable data. It is the process of matching anonymous data with publicly available information.
  • Making this data anonymous allows for the safer sharing of individual records by redacting key pieces of information when done correctly
  • For example, a cloud service provider handling deidentified electronic health records on behalf of a hospital so they can be accessed by multiple physicians consulting on a patient’s treatment plan.

Privacy by Design

Privacy by design simply means an organization’s technology and policies are built with data protection in mind. Having this infrastructure in place can help identify and protect against anticipated threats to the security or integrity of the information.

Internal Controls

  • Organizations can put in place internal controls that take more of a preventative as opposed to a remedial approach such as safeguards, regular audits, and penetration testing
  • Internal controls could include having administrative, technical, and physical safeguards in place
  • Additionally, part of a regular internal audit could include a penetration test to assess any weak points or identify exploitable vulnerabilities in an organization’s cyber defences

ISO Standards

  • Obtaining an International Organization for Standardization (ISO) certification can add to an organization’s credibility by demonstrating the desire to go above and beyond to provide an exceptional product or service experience to clients
  • For example, as a software provider, obtaining an ISO certification (ISO/IEC 27001 and ISO/IEC 27002) for privacy information management provides current and future clients with the insight that an organization wants to be recognized for prioritizing privacy and security, which is a great marketing tool

Marketing

  • Privacy by design serves multiple purposes; the first one of course being to protect sensitive data to avoid a breach, misuse, and heavy fines. The second one is for communication and marketing purposes
  • Organizations that can communicate why their product or service is more secure when it comes to data storage are not only reinforcing their company’s value proposition but are also providing a competitive advantage
  • Aside from being able to effectively market products simply through technology design, having consistent internal training around security and privacy for employees can help create a certain type of culture and embed these values deeper into an organization by setting a standard

Kohezion

Kohezion is a HIPAA compliant database software that empowers medical research, healthcare, and high-security sectors to build their own flexible, customizable system without the need for a developer. As a software provider, Kohezion is committed to creating a highly secure and transparent experience through employee training, added encryption, and limited access policies to safeguard the collection, use, and disclosure of data. At Kohezion, we believe that you understand your business needs better than anyone, which is why you should be the one in control of your data.

Healthcare Data Security
Cloud Services
Hipaa
Hipaa Compliance
Data Privacy Law

--

--

Kohezion
Kohezion

Written by Kohezion

0 Followers
14 Following

Kohezion is a low code HIPAA-compliant database builder that empowers healthcare providers & partners to build their own software solutions.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams