One of CumulusOps's verticals is the secure management and migrating HIPAA PHI data into the cloud. HIPAA and HITECH require that related to the use and disclosure of PHI, need to have the necessary safeguards to protect PHI of individuals. Cloud providers along with CumulusOps can be covered entities and business associates that can build a secure, scalable, low-cost implementation in the cloud that is in alignment with HIPAA and HITECH compliance requirements.
To comply with HIPAA and the HITECH Act, a cloud customer needs to sign a written agreement called the Business Associate Agreement (BAA). The BAA is available to a cloud customer that is a “covered entity” or a “business associate” and includes "protected health information" in cloud customer data.
Each cloud provider has a list of services that are in scope for use in the cloud. Customers should not store or process PHI outside the BAA scope unless this is done in a way that renders the PHI unusable, unreadable, or indecipherable within that service such that the breach notification requirements of HIPAA and HITECH do not apply.
Also, cloud customers must understand the shared responsibility model between the cloud provider and them. Merely getting a BAA for a cloud provider does not to ensure a covered entity is compliant with HIPAA and HITECH rules. No cloud provider can be genuinely HIPAA and HITECH complaint on its own. The customer still has the responsibility in the shared responsibility model with the cloud provider to customer data, applications, access management, operation system, network, firewall configuration, client-side data encryption/ data integrity authentication, server-side filesystem encryption and or data, network traffic encryption integrity, and identity.
Just as with On-Premises and Colocation hosting providers there can be penalties for cloud HIPAA violations. There have been a number of settlements announced where Health Care Service providers have been fined in excess of 1 million dollars after PHI was compromised. With right cloud migration and management services, this can be done in a secure, pay as you go, and lower total cost of ownership way that protects your business and its PHI data.