Table 2.
Cloud provider business associate contract stipulations needed to ensure compliance with the HIPAA Security Rule
| HIPAA Security Rule specification | Cloud provider business associate contract stipulation |
| 1. Conduct risk analysis | Cloud provider agrees to produce periodic server-side risk analyses for use by the client |
| 2. Implement risk management policies to reduce vulnerabilities | Cloud provider agrees to implement the server-side risk management policies required by the risk analysis |
| 3. Apply sanctions to non-compliant workforce members | Cloud provider agrees to subject its workforce to sanctions for compliance violations |
| 4. Implement policies to periodically review information system activities | Cloud provider agrees to give client a simple means to review its information system activities |
| 5. Assign a security official | Cloud provider identifies a security official responsible for overseeing ePHI security |
| 6. Supervise workforce members who work with ePHI | Cloud provider agrees to be responsible for supervising its workforce for security policy compliance |
| 7. Clear workforce members for access to ePHI | Cloud provider agrees to perform a security clearance before workforce members have access to ePHI |
| 8. Terminate workforce members' access to ePHI appropriately | Cloud provider agrees to implement policy to terminate its workforce members' access to ePHI appropriately |
| 9. Isolate healthcare clearinghouse functions from the larger organization | Cloud provider agrees to ensure client's ePHI is isolated from its larger organization, and from ePHI of other clients (multitenancy of applications and databases may not be an option) |
| 10. Implement policies for granting user access to ePHI | Cloud provider agrees to implement policies for granting workforce access to ePHI |
| 11. Implement policies for review and modification of user access to ePHI | Cloud provider agrees to implement policies for reviewing and modifying its workforce's access to ePHI |
| 12. Periodically remind users of security policies | Cloud provider agrees to implement mechanisms to remind users of security policies |
| 13. Protect system from malicious software | Cloud provider agrees to keep antivirus software, operating system, and software patches up to date. Cloud provider operates intrusion detection system and firewall |
| 14. Monitor login attempts | Cloud provider agrees to monitors login attempts, makes information available to client, and locks out users who exceed failed login attempt limit |
| 15. Manage passwords | Cloud provider's software platform gives client administrator functionality to manage passwords |
| 16. Identify and respond to security incidents | Cloud provider utilizes tools like an intrusion detection system to prevent attacks, and reports incident details, impact, and response to client |
| 17. Backup data | Cloud provider agrees to back up data with tape, internet, redundant drives, or any means necessary to allow full recovery from incidents |
| 18. Establish data recovery plan | Cloud provider develops, tests, and publishes a detailed procedure for emergency operations |
| 19. Establish emergency operation mode plan | Cloud provider develops, tests, and publishes its plan for emergency operation, including backup power supplies and offsite failover facilities |
| 20. Periodically test and revise contingency plans | Cloud provider agrees to periodically test and revise contingency plans for smooth transition to emergency operation mode |
| 21. Assess relative criticality of applications and data | Client reports relative criticality of applications to cloud provider so emergency operations can be designed to provide at least the most important applications |
| 22. Perform periodic security evaluation | Cloud provider agrees to perform periodic security evaluation and report any changes to client |
| 23. Obtain assurances from business associates that security requirements will be met | Cloud provider agrees to all HIPAA-required SLA stipulations, as do any of the provider's business partners who handle ePHI |
| 24. Establish procedure for facility access in emergency mode operation | Cloud provider develops, publishes, and tests procedure for facility access in emergency operation mode |
| 25. Protect data facility and equipment from unauthorized access, tampering, and theft | Cloud provider agrees to implement sufficient physical safeguards to prevent unauthorized persons from entering data facility |
| 26. Control and validate person's access to data facilities and software programs | Cloud provider agrees to screen, authorize, validate, and log all personnel accessing data facilities and their activities while there |
| 27. Document repairs and modifications to data facility's physical components | Cloud provider agrees to document and report data facility repairs and modifications |
| 28. Control use and location of workstations that can access ePHI | Cloud provider has software that allows client administrator to limit access to ePHI by certain devices identified by MAC or client certificate |
| 29. Implement physical safeguards and control access to workstations that can access ePHI | (Client controls access to workstations) |
| 30. Properly dispose of electronic media that stored ePHI | Cloud provider implements policies to properly dispose of electronic media |
| 31. Properly remove ePHI from electronic media before re-use | Cloud provider agrees to implement policies to properly remove ePHI from electronic media |
| 32. Maintain record of hardware and electronic media that store ePHI | Cloud provider agrees to maintain record of hardware and electronic media that store ePHI |
| 33. Backup ePHI before moving equipment | Cloud provider agrees to back up ePHI before moving equipment |
| 34. Assign unique name or number to users | Cloud provider's software platform ensures users are uniquely identifiable |
| 35. Establish procedure for obtaining ePHI during an emergency | Cloud provider agrees to develop, test, and publish procedures for accessing ePHI during an emergency |
| 36. Automatically log-off users after a period of inactivity | Cloud provider's software platform automatically logs users off after inactivity |
| 37. Encrypt ePHI when appropriate | Cloud provider agrees to encrypt stored ePHI whenever necessary |
| 38. Record and audit ePHI system usage | Cloud provider's software platform logs user access to ePHI and makes it available to client's administrators |
| 39. Implement mechanisms to ensure that stored ePHI has not be been altered or destroyed in an unauthorized manner | Cloud provider implements policies to protect ePHI from alteration or destruction with encryption, PKI |
| 40. Authenticate persons or entities seeking access to ePHI | Cloud provider's software platform authenticates users before granting access to ePHI |
| 41. Implement measures to ensure transmitted ePHI is not modified in transit | Cloud provider's software platform implements data integrity controls such as digital signatures, MD5 one-way encrypted file hashes |
| 42. Encrypt transmitted ePHI when appropriate | Cloud provider's software platform ensures transmitted ePHI is encrypted with strong passphrases, 128-bit or higher encryption algorithm, PKI or SSL/TLS |
ePHI, electronic protected health information; HIPAA, 1996 Health Insurance Portability and Accountability Act; MAC, media access control address; PKI, public key infrastructure; SLA, service level agreement; SSL, secure sockets layer; TLS, transport layer security.