Nicole Freeman, | March 6, 2014

Healthcare providers and their business associates (BAs) are gradually becoming more comfortable with the concept of storing data off-site and online in a cloud environment. While there is ease of access in having a central, accessible databank for information, there are many factors to consider when selecting and using cloud services. Healthcare providers must be certain that their cloud provider is HIPAA-compliant if they are storing protected health information (PHI), and the provider must be willing to sign business associate agreements (BAAs).

Read through this list of articles featuring service provider updates, professional best practices, and HIPAA information to help covered entities and their BAs use cloud technology in a compliant, meaningful manner.

Our cloud security guide is divided into two sections, one dedicated to HIPAA compliance and the recent allowance of BAAs among big-time vendors and the other dedicated to cloud technology considerations for providers.


With stronger government enforcement of HIPAA and the Omnibus rule and the ever-present risk of a data breach, providers must ensure that their systems and practices are secure and compliant. BAs are also responsible for the protection of data, and healthcare providers need to keep tabs on each of their associates to be certain that their practices are compliant and up-to-date.

Google extends HIPAA BAA support to cloud app developers

After years of avoiding them, Google recently began to offer business associate agreements (BAAs) for cloud application developers and cloud developers to secure HIPPA-protected information. If cloud developers want to allow protected health information (PHI) onto Google cloud platforms, Google will now serve as a business associate (BA).

UCHealth picks Office 365: The BAA effect on cloud security

UCHealth adopted Microsoft Office 365 to store sensitive data from its three healthcare systems. Microsoft and Google have both recently agreed sign BAAs with healthcare groups, and UCHealth chose Microsoft’s service due to its extensive support of HIPAA and data security.

How HIPAA affects healthcare cloud computing decisions

With the HIPAA Omnibus rule effective, both covered entities and their BAs must be HIPAA-compliant and are responsible for the penalties for breaches and non-compliance. Covered entities, however, are still responsible for their BAs’ compliance practices. Encrypting any data stored within the cloud could save covered entities and BAs from data breaches.

Healthcare cloud security: Staying current with BAAs, SLAs

At the HIMSS Privacy and Security Forum, Lee Kim, JD, Director of Privacy and Security for HIMSS and Phil Curran, Chief Information Security Officer for Cooper Health Systems, discussed healthcare providers’ responsibilities when dealing with cloud providers, including best practices for security risk management.

Making healthcare cloud data security decisions as a BA

In an interview, Stephen Wu, a partner at the law firm Cooke Kobrick & Wu LLP, discussed the importance of both healthcare organizations and vendors understanding the HIPAA Omnibus rule and the risks and benefits of using cloud services. Wu offers his experiences on the lack of cloud data breaches, the effect of HIPAA Omnibus on business associate agreements, and the impact of the new rule on vendors.

HIPAA-compliant hosting considerations for covered entities

As providers adopt cloud services, there tends to be a focus on the product’s HIPAA-compliance. There are more things to consider, however, including the role vendors are willing to play as a business associate (BA), the frequency of a vendor’s risk assessments, HIPAA audit preparedness, a vendor’s service outage procedures, and encryption practices.


When selecting and utilizing cloud services, there is more to consider than HIPAA-compliance. Providers and their BAs must also implement security controls, encryption, and risk assessment plans to safeguard any data in their possession.

Combing through health cloud security vendors: CISO options

Bruce Forman, Chief Information Security Officer (CISO) of UMass Memorial Medical Center, explains the value of cloud products, including those used at UMass. Currently, the system uses Software as a Service (SaaS), a popular choice among providers that offers a secure, vendor-managed infrastructure meeting Service Organization Control (SOC) 1.

Healthcare security considerations during cloud implementation

In an interview, Daniel Morreale, Vice President and Chief Information Officer of Kingsbrook Jewish Medical Center, discussed his organization’s implementation of ClearDATA’s cloud hosting services, including timeline integration steps and its BAA.

Securing the health public and private cloud platform bridge

Until recently, providers had been limited to public and private cloud services. As the use of cloud services has expanded, healthcare providers have adopted a hybrid platform, but have found difficulties securely linking the two. To do so, organizations must create a provider-specific channel to ensure fluidity, secure said channel, and create user transparency.

Healthcare providers digging deep into cloud encryption

With data breaches remaining commonplace in the healthcare industry, providers are beginning to look deeper into a service’s encryption processes, including cloud hosting services. Organizations should be able to secure data-at-rest throughout a system with segregated encryption keys.

Healthcare cloud security: CISO perspective

At the 2012 HIMSS Privacy and Security Forum, panelists Jennings Aske, CISO of Partners HealthCare, and Darren Lacey, CISO and Director of IT Compliance at Johns Hopkins University and Johns Hopkins Medicine, explore the security challenges posed by cloud computing, such as vendors who refuse to sign business associate agreements (BAAs), and the best practices to resolve these issues.

Cloud security best practices for healthcare providers, vendors

As providers store and transmit increasingly large amounts of PHI in the cloud, the need for security controls and HIPAA-compliance becomes more pressing. Providers must build a secure, layered cloud system that is high-performing while also ensuring HIPAA-compliance.

Creating strong healthcare cloud encryption keys

When storing data off-site, there is not only the need to clarify the level of management responsibility for each involved party and determining who has access to what information. Providers must also create strong encryption keys for all its data. Devices should generate strong encryption keys each time they are started, and Master Keys should combine parties’ strong and weak randomness.

Facing the healthcare cloud security challenge head-on

The security of cloud computing should always be considered when implementing a service. End-point interrogation engines can monitor devices accessing a system and potentially avoid a data breach. Providers and vendors must also have an access continuity plan in case of a system outage, ensuring that users will still have a secure channel to access their information.

Originally Posted: May 30, 2014
PDF: Healthcare Cloud Security Resources, Advice for Providers