While health care cloud economics don't add up for all providers, especially for facilities that have done all they can with the bandwidth that's available to them, the cloud
HIPAA requires hospitals to have a backup and disaster recovery plan. While the details of those plans are left to the individual provider, it's important to either store backups outside of the zone of potential disasters your risk assessment identifies, or in a "safe location completely hardened against disasters (manmade or otherwise)," Carlos Leyva, author of The HITECH/HIPAA Survival Guides, wrote in an email.
Cavett Otis, IT director at Imaging Associates of North Mississippi Magnolia (IANMM), said his regional radiology practice uses cloud services to provide a HIPAA-compliant backup.
"Every night we're uploading images to a facility in Virginia," he said. This is done to satisfy HIPAA administrative and physical safeguard mandates, which require availability to data, as well as disaster planning. "That's something we have to have in place to meet HIPAA and meaningful use [requirements] as well."
Cloud backups may help business associates reach HIPAA compliance
HIPAA, by its business associate requirements, might enable cloud vendors in another way. The HITECH Act shifted more liability to business associates, which puts them in the same foxhole as the health care provider when it comes to the war against data breaches.
"Most customers are becoming comfortable with third parties handling their data when those third parties are contractually bound by the HIPAA regulations," wrote Dave Nesvisky, executive director of health care for NetApp Inc. His company provides the backbone for Allscripts MyWay and PayerPath EMR, practice management and revenue cycle services that serve thousands of physicians, and recently announced that it was partnering with Iron Mountain to create a HIPAA-compliant backup platform designed especially for health care.
"In other markets, like financial services, a corollary can be drawn to Gramm-Leach-Bliley and California SB-1," Nesvisky said, referring to privacy laws that cover financial information." What convinced them to come around? An understanding of the security requirements and a contractual obligation to comply."
Every night we're uploading images to a facility in Virginia. That's something we have to have in place to meet HIPAA and meaningful use.
Cavett Otis, IT director, Imaging Associates of North Mississippi Magnolia (IANMM)
Rob Shaughnessy, CTO of Circadence Corp., IANMM's WAN optimization vendor, sees acceptance of cloud service providers increasing among his company's health care customers. While providers might not necessarily be interested in uploading patient data to public-cloud hosts such as Amazon.com Inc., the fact that such a large, recognizable company is promoting cloud services helps legitimize the concept. That opens the door for smaller private-cloud hosting companies that can tailor their business to health care -- and the compliance rules that come with it -- to win over health care providers.
"They can offer a cloud service that not only has the technical elements to assure HIPAA compliance and other things, but they also have the marketing language down, and they have the customer knowledge to actually make that a relevant discussion," Shaughnessy said, adding that the cost of cloud technology is decreasing quickly, to the point that it's cheap enough for smaller hospitals to consider seriously. "That's a big factor."