Most organizations today handle PHI in a cloud environment. The road to compliance in the cloud is unique to every organization – not only because every business is different, but because HIPAA rules are more guidelines than a set of prescriptive steps or tactics.
Therefore, an organization doesn’t become HIPAA compliant, but rather needs to comply with the following HIPAA compliance rules:
The HIPAA Privacy Rule: As the name indicates, the purpose of this rule is to protect the privacy of patients by limiting the disclosure of patient information without patient permission. That includes all identifiable information like name, address and social security number, as well as health specific information like diagnosis and treatments. In addition, the Privacy Rule allows patients access to their own medical records.
The HIPAA Security Rule: Under this rule, entities are required to develop and maintain appropriate administrative, technical and physical measures to mitigate the risks associated with how the entity handles PHI and that ensure the confidentiality, integrity and security of electronic PHI (ePHI).
The HIPAA Breach Notification Rule: Entities are required to notify patients and the U.S. Department of Health & Human Services (HHS) within 60 days if PHI is breached.