Top Tips for HIPAA Compliance and Cloud Security from the Experts


The purpose of HIPAA, the Health Insurance Portability and Accountability Act, is to protect patient privacy, including patient information stored online. Though the cloud offers a way to store and use information online, it has its own vulnerability to data theft.  Therefore, adhering to HIPAA rules and regulations is essential for any pharmaceutical business that handles online patient information in the cloud. This includes programs such as clinical trials, drug safety monitoring and biostatistical data. Online patient information may also be transferred for reimbursement, disease management and pharmacy benefits programs.

Since HIPAA cloud security is a complex issue, I have compiled some top tips from experts in the field to help you with the process of HIPAA compliance:

Tip: Understand and Use Business Associate Agreements to MinimizeYour Risk

HIPAA cloud compliance should involve Business Associate Agreements. Of course, BAAs are also required in traditional data center deployments; yet the cloud’s distributed approach means an increased reliance on multiple online service providers. All cloud sub-contractors who help with aspects of your business, such as online payment processing or cloud providers, must sign a BAA to indicate that they agree to comply with HIPAA privacy rules and protect all data which the pharmaceutical company supplies. If one of your company’s business associates loses data or has a security breach, without a Business Associate Agreement, your company would be liable for the damage. Make a list of all the cloud businesses you work with and check whether a Business Associate Agreement is required (there are some exceptions to the rule).

Of course, your responsibility doesn’t end with forming agreements with other businesses. HIPAA compliance has to become an integral part of your organization’s culture.

Tip: Constantly and Consistently Remind Employees of Their HIPAA Obligations

Train pharmaceutical and healthcare professionals and continually remind them of their responsibility to protect sensitive data. A yearly lecture or a few workshops are not sufficient to change day-to-day behavior. Instead, businesses should be provide a constant stream of security awareness and reminders so that it becomes second nature. For example, every time a healthcare professional logs into his computer, he could be presented a different security message to remind him of the golden rules of security. Additionally, the importance of HIPAA compliance must be stressed by company management, and responsibility should not be left to the IT department. Pharmaceutical workers are likely to dismiss rules set out by the technical teams, but will pay more attention to directives coming from their direct managers.

Dan Munro, Founder and CEO of iPatient, and a contributor at Forbes, reminds us that HIPAA security for cloud vendors is more than a legally binding agreement – or commitment. It’s a core competency that needs to be part of the corporate culture – and that’s not something that many cloud vendors want to embrace.  I asked Dan what his experience shows is the best way for cloud pharmaceutical companies to understand and embrace that and his response was two words:  key hires.

When we think of online medical data storage, we generally picture healthcare professionals sending sensitive information from their PCs or laptops into the cloud. But in recent years, increased use of mobile phones for business and personal functions makes it necessary for healthcare professionals to secure data shared through mobile apps as well.

Tip: Secure Mobile Devices As They May Cause Security Breaches

Adam H. Greene, JD, MPH, partner in the Health IT/HIPAA practice of Davis Wright Tremaine, points out that healthcare or pharmaceutical mobile apps which are used by professionals must be HIPAA compliant. Apps which are aimed only at consumers aren’t required to comply with HIPAA regulations, but if sensitive patient data is stored on a mobile device, measures must be taken to protect this information. You must conduct a HIPAA Security Rule risk analysis, identifying potential threats and vulnerabilities to protected health information. Users should be encouraged to use encryption on their own mobile devices before sending information to the app. Use the most secure user authentication available on mobile devices, to avoid data theft. And make sure the app can detect security breaches, since your business is required to report any possible security issues.

In light of some recent security scandals, it has become evident that another crucial issue is the encryption of data and the protection of encryption keys in the cloud.

Tip: Encrypt All Data and Maintain Control of Your Encryption Keys

Gilad Parann-Nissany, founder and CEO of Porticor, a cloud encryption company, recommends encrypting all pharmaceutical companies’ data for HIPAA compliance. While encryption is not required by HIPAA, it mitigates liability by providing a ‘safe harbor’ – if data is lost, and it can be reasonably proven that the data was encrypted and the encryption was not compromised, then many of the costs and fines of HIPAA are waived. A related issue is keeping cloud encryption keys private. Encryption isn’t really worth anything if someone gets a hold of your encryption keys, and achieving strict ‘safe harbor’ mitigation involves keeping your encryption keys to yourself. Thankfully, technology does allow companies to send data to the cloud while maintaining full control over their encryption keys. Choose a cloud security provider which offers this capability, so that you can maintain complete privacy and guarantee optimal HIPAA compliance.

Complying with HIPAA rules and regulations is central to all pharmaceutical and healthcare businesses which operate in the cloud. Twenty-first century technology is a boon to the healthcare system, but also increases the risk of patient data falling into the wrong hands. Creating Business Associate Agreements, hiring and training staff properly, encrypting data on all devices and working with a cloud security provider that allows you control over encryption keys will ensure you stay compliant.