The responsibility requirements of cloud providers and users under U.S. law

New technologies, ranging from electronic medical records to medical devices to mobile and WEB applications, have helped doctors improve patients ' health and cure their lives. Doctors use these techniques to collect much more information than before, and to learn about the health of patients through the data collected. These technologies and the data they contain are constantly connected and interacting, sending health messages through increasingly complex systems that are also increasing in risk and vulnerabilities. Doctors are no longer the only authorized persons for these intimate health messages. Today, there are other people, such as those who manage the data store, who can access the information and therefore have the responsibility to protect it.

Recognizing the sensitivity of health information, the United States Government enacted the Medical Information Circulation and Accountability Act in 1996 (Tiyatien Information Portability and Accountability Act, HIPAA) and in 2003 The medical information technology for Economic and Clinical Health Act was promulgated (Tiyatien Information Marvell for economic and clinical Tiyatien, HiTech Act). These laws require entities responsible for sensitive health information to implement certain measures to ensure privacy and security, and to notify patients when the privacy and security of the patient's information is compromised.

When a user migrates to a cloud service, it is essential to understand these standards and to adhere strictly to those standards for entities that fulfill their obligations and maintain the trust of patients who disclose their intimate health details. To provide a basis for solving problems related to cloud services, this article first gives you a basic understanding of HIPAA and hitech, including the laws, rules, and objects that are applicable to the law. Then, to help prevent cloud service users and cloud providers from conflicting with HIPAA and hitech requirements, this article discusses data control, access, integrity, and usability issues, specific requirements for shared multi-tenant environments, contingency preparedness and response, and data security.

HIPAA and HiTech Act

The discussion of HIPAA often ignores the complexities of a complex set of laws, rules, and regulations. The two terms that are often mentioned are privacy and security, but do not take into account the nuances of HIPAA and hitech, and therefore blur the meaning of compliance.

HIPAA

HIPAA contains specific privacy standards and security standards for certain health information, that is, HIPAA Privacy rule ("Privacy rule"), and HIPAA rule ("Safety rule"). HIPAA applies these rules to the entities that are covered, including healthcare providers, health plans, and medical settlement centers.

According to the website of the United States Department of Health and Human Services (U.S Department of Tiyatien & Human Services, HHS):

Security rule "Specifies a range of regulatory, physical, and technical safeguards for the confidentiality, integrity, and availability of the protected health information that is covered by the entity."

HiTech ACT

The HiTech Act is an extension of HIPAA Privacy and security rules, which increases penalties for violating HIPAA. Previously, the jurisdiction of the HHS Civil Rights Office (office for Libertarians Rights, OCR) was limited to violations of the privacy rights of the covered entities. According to HiTech Act,hipaa Privacy and security rule, a person or entity that is capable of performing certain functions or activities involving the use or disclosure of PHI may be executed by extension to a business partner (BA), that is, an entity covered by the representative (or a service provided to that entity). Today, OCR also has jurisdiction over BA law enforcement. BA usually provides services such as claims processing or management, data analysis, use assessment or practice management. A cloud provider that stores PHI directly representing an entity covered or indirectly representing an entity through another BA can also be considered a BA.

Cloud provider as BA

The cloud provider has its own uniqueness as a BA carrying EPHI. At the time HIPAA was promulgated, the concept of "cloud" had not yet occurred and might not have been foreseen. An increasing number of entities covered and other BA choose to store health information in the cloud. Common reasons for this include cost savings, storage management, platform benefits, resource availability, backup and recovery, and reduced IT maintenance. However, if the EPHI is stored in the cloud, the user actually leaks it to the cloud provider, and the cloud provider becomes a BA. For this reason, the cloud provider must also comply with HIPAA and HITECH requirements.

HIPAA allows the entities covered to exchange EPHI for treatment, payment and medical operations without obtaining patient consent. However, only the minimum amount of EPHI necessary to achieve this exchange should be disclosed. Thus, the entities covered can exchange EPHI with each other or with BA. However, before the information is released to BA, the entities covered must be satisfied that the BA will properly protect all EPHI provided by the entities covered. This is done through the Business Partnership Agreement (BAA).