Small business owners operating in the US healthcare industry may not realize that there are a plethora of legal regulations they must comply with in regard to cloud storage. The most well-known regulation is HIPAA - the Health Insurance Portability and Accountability Act.
This blog post will explain how small businesses are affected by HIPAA in terms of cloud storage requirements and the risks of non-compliance.
What Is HIPAA?
The Health Insurance Portability and Accountability Act was enacted in 1996 to protect patient health information. Protected Health Information (PHI) includes data that can be used to identify an individual. HIPAA compliance requires that all entities handling PHI take measures to protect its confidentiality, integrity and availability.
There are two main HIPAA rules that small businesses should take note of:
- The HIPAA Privacy Rule: This rule sets forth national standards for the protection of PHI. It requires that covered entities (CEs) - including healthcare providers, health plans and clearinghouses - take measures to ensure that PHI is only used or disclosed for authorized purposes. Furthermore, CEs must provide individuals with notice of their privacy rights and maintain records of all disclosures of PHI.
- The HIPAA Security Rule: This rule establishes security standards for the electronic transmission of PHI. It requires CEs to put in place physical, technical and administrative safeguards to protect the confidentiality, integrity and availability of electronic Protected Health Information (ePHI).
Types of Small Businesses Affected By HIPAA Compliant Cloud Storage Requirements?
Any small business that collects, stores, or transmits PHI must comply with both the Privacy and Security Rule. This includes, but is not limited to, the following types of businesses:
- Healthcare providers: Physicians, nurse practitioners, physician assistants, dentists, chiropractors, optometrists and other types of healthcare providers must comply with HIPAA. This is true even if the provider does not transmit PHI electronically.
- Health plans: HMOs, company health plans and government programs that pay for healthcare services (e.g., Medicare, Medicaid) must comply with HIPAA.
- Healthcare clearinghouses: Clearinghouses process non-standardized data from multiple sources into a standard format or vice versa. They include billing services, repricing companies, community health management information systems and value-added networks.
- Business associates of CEs: This is where HIPAA casts a wide net. Business associates of CEs include any individual or entity that performs functions or activities on behalf of, or provides certain services to, a CE. These services include claims processing or administration, data analysis, utilization review, quality assurance, billing, benefit management configuration and maintenance of IT systems, content development and management and legal, accounting and consulting services.
While HIPAA doesn't explicitly refer to cloud storage, it is evident that the list of businesses above makes use of cloud storage services for day-to-day operations. Therefore, small businesses must ensure that their cloud storage vendor is HIPAA compliant. They can do this by asking the cloud provider to provide evidence of a Business Associate Agreement (BAA) that they have signed with the covered entity. A BAA is a contract between a covered entity and a Business Associate (BA) that outlines the BA's obligations concerning PHI.
Risks of HIPAA Non-Compliance
There are several risks associated with HIPAA non-compliance, including:
- Financial penalties and costs: The Department of Health and Human Services (HHS) can impose civil monetary penalties (CMPs) on CEs and business associates for HIPAA violations. These penalties can range from $100 to $50,000 per violation, with a maximum of $1.5 million per year (and higher when adjusted for inflation) for repeat violations. Settlements and civil monetary penalties can be much higher. For example, Excellus Health Plan agreed to a $5.1 million civil monetary penalty and a corrective action plan with the Office for Civil Rights to correct HIPAA violations after a 2015 data breach impacting 9.3 million individuals. In addition to the financial penalties, small businesses can also incur huge financial costs for seemingly inexpensive (on the face of it) compliance issues like breach notifications. For example, the American Medical Collection Agency (AMCA) recently caused a breach that exposed the information of 20 million patients. As a result, they had to notify 7 million patients of the breach using the recommended channels at a staggering cost of $3.8 million.
(Image source: Spanning.com)
- Criminal penalties: HIPAA violations can also lead to criminal charges. The unlawful disclosure of PHI is a felony punishable by up to five years in prison. Furthermore, individuals who knowingly violate HIPAA can be subject to criminal charges that come with a prison sentence of up to ten years. Even when you do not know about the disclosure, you can still go to jail for up to one year.
- Reputational damage: HIPAA non-compliance can damage the reputation of small businesses. In today's age of social media, news of a data breach can spread like wildfire, potentially leading to long-term adverse effects on the business.
HIPAA Compliant Cloud Storage for Small Business
As we have seen, HIPAA compliance is essential for small businesses that collect, store, or transmit PHI. Furthermore, these businesses must ensure that their cloud storage vendor is HIPAA compliant. Failure to do so can lead to several penalties and risks, including financial and criminal penalties and reputational damage.
When choosing a cloud storage vendor, ask about their HIPAA compliance policies and procedures. This will ensure that your small business is protected in the event of a data breach.
HIPAA compliant cloud storage is vital for small businesses, but it's only one part of the larger puzzle. To truly be HIPAA compliant, businesses must also have policies and procedures to protect PHI. These include but are not limited to:
- Training employees on HIPAA compliance
- Ensuring the physical security of devices that contain PHI
- Having a process for handling data breaches
For more information on HIPAA compliant cloud solutions, check out our HIPAA compliant backup and encrypted sharing cloud service. Central Data Storage's data experts and technology provide confidence that your patient data is secure, and your HIPAA compliance needs are met. Sign up for a free no-obligation data assessment today.