Regulations and the cloud: HIPAA modification provides clarity
Changes to the regulations should make it easier for cloud clients and vendors to understand their responsibilities
Computerworld - Many regulatory requirements that impact cloud computing were enacted before cloud computing came into existence. As a result, they don't directly or effectively address issues that can arise because of the cloud, leaving both client organizations and cloud vendors without clear guidance on how to comply. While such laws are typically updated at a much slower pace than the cloud evolves, now that the cloud is becoming more established, some regulations are starting to catch up. A case in point is the Health Insurance Portability and Accountability Act (HIPAA).
HIPAA establishes national standards to protect people's electronic protected health information (PHI) and requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity and security of electronic PHI. Any organization in the U.S. contemplating moving a function involving PHI to the cloud needs to thoroughly understand HIPAA and comply with it.
HIPAA was initially enacted August 21, 1996, more than a year before the first known academic usage of the term "cloud computing" and more than a decade before most businesses were even considering the possibility of entrusting data to cloud vendors. A significant modification to the act was issued on January 25, 2013. While none of this modification's 138 pages specifically mentions cloud computing, the changes it contains are applicable and should be fully absorbed by your cloud-computing team.
To use the language of HIPAA, a client organization moving a function that involves PHI to the cloud would be what is identified as a "covered entity." A vendor that creates, receives, maintains or transmits PHI on behalf of a covered entity would be what is called a "business associate." While HIPAA doesn't specifically identify cloud computing vendors as business associates, they clearly fall within this scope.
Historically, covered entities have been directly responsible for HIPAA compliance, with business associates only indirectly responsible via a business associate agreement (BAA) between the two parties. According to HIPAA, a BAA needs to require the business associate to implement safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of PHI, and to ensure that any subcontractor engaged by the business associate in this process agrees to implement similar safeguards.
Some of the largest reported HIPAA breaches to date have involved business associates, so it should come as no surprise that a number of changes in the recent modification clarify and increase the accountability of business associates. Specific elements of the modification that are pertinent to cloud computing include:
* Business associates are now separately and directly liable for compliance with, and violations of, HIPAA privacy, security and breach notification rules.
Other columns by Thomas Trappler
- NASA's cloud audit holds value for all
- Who can pry into your cloud-based data?
- Does your cloud vendor protect your rights?
- Software licensing in the cloud
- For credit card handlers, cloud computing guidelines just got clearer
- Regulations and the cloud: HIPAA modification provides clarity
- Certification programs are making it easier to know all about a cloud vendor
- The do's and don'ts of safeguarding cloud-based data with encryption
- For a good cloud contract, start with an RFP
- It takes a team to create a good cloud contract
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- ESG: The IBM FlashSystem 840: Technical Evolution to Deliver Business Value In this whitepaper, you will learn how this high-speed storage technology has tremendous potential to support I/O-intensive and/or latency-sensitive applications.
- Choosing an MDM Platform: Where to Start the Conversation If you're in the early stages of choosing an MDM solution, or you're considering switching vendors, here are seven critical questions to ask...
- Axeda Platform Technical Overview This paper summarizes the major features of an IoT platform and explains how they simplify and speed the process of developing and deploying...
- Stock Shock: The effect of project and portfolio management on share price In this independent report, you'll see the intrinsic connection between long-term capital investment and short term market performance -- and how this can...
- Live Webcast Best Practices for the Hyperconverged Enterprise Network To the Age of Constant Connectivity and Information overload
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources... All Cloud Computing White Papers | Webcasts