Small medical practices can usually see some cost savings by moving some of their technology to the cloud such as email, file sharing and of course their medial applications hosted on a cloud server. Whether your technology is in house or in the cloud you must till make sure the patient health information is protected, secured and HIPAA compliant.
Due Diligence Is The Key To Compliance
The very first thing you need to have to use any cloud provider to store patient health information is a Business Associate Agreement or BAA. Does HIPAA allow you use a public cloud resource, say for example Dropbox? Absolutely but you still need a BAA signed to use it.
If you sign up for a cloud server with a private hosting company to host your medical application that company must sign a BAA with you. If they aren't willing to sign one that will automatically make you out of compliance in the event of an audit. It's ok to use a cloud service if you aren't keeping patient health information on it but if PHI touches the resource you must have a BAA in place.
Doing business with a cloud provider that simply says they are HIPAA compliant on their website simply isn't good enough. Where are they keeping their data? In a US data center or offshore? While you can still be compliant if you use a foreign data center your risk of having your data compromised might greatly increase.
A typical scenario is you have a cloud server with your medical practice application on it and your team remotes in. Is the data on that cloud server encrypted? If your provider is making a backup is the backup being encrypted as well? These are questions you should be asking and should be documenting to show you did your homework and making your patients are well protected.
Neotech Networks is an IT provider in in the New York and Long Island area that serves small businesses. If you would like a free consultation please use our contact form or call 212.858.9022
224 West 35th Street 11th Floor
New York, NY 10001