QSAC – Quality Service for the Autism Community

HIPAA Compliance in a Cloud File Server

The IT team at QSAC uses CloudLock to comply with HIPAA and protect medical records stored in the cloud.

Founded in 1978, QSAC is an award-winning organization that is one of the largest agencies dedicated specifically to autism, and is a recognized leader in the field. QSAC provides comprehensive services and programs to individuals with ASD and their families, ranging from early intervention and preschool programs for young children to day programs and residential services for adults. QSAC’s programs provide all participants with the opportunity to acquire, maintain, and practice the skills necessary to lead a more fulfilling and independent life and become productive members of the community.

QSAC provides and maintains the highest level of professional services that utilize the most innovative therapeutic techniques and committed is committed to assisting our consumers in becoming independent and productive members of their communities.

Business Problem

QSAC’s innovative IT team was an early adopter of Google Apps in general and the cloud collaboration suite specifically. As such, it continues to enjoy a reduction in IT costs while providing collaboration benefits to its staff.

As the adoption of Google Docs grew within the organization, more and more documents were created in the cloud. These documents included patient records subject to HIPAA compliance. With this growth, QSAC faced with a challenge of maintaining HIPAA compliance for its consumer related documents in the cloud.

“Our organization is one of the largest agencies dedicated specifically to autism in New York. We are under strict HIPAA regulations and it is imperative that all consumer-related information is protected,” said Joe Moran, Director of Communications and Technology ad QSAC.

The CloudLock Solution

“CloudLock for Google Docs has been instrumental in allowing us to review external and internal document exposures and continue to comply with HIPAA regulations for documents stored and created in the cloud,” said Moran.

With CloudLock for Google Apps, the IT team at QSAC is able to:

• Gain visibility into all documents in the domain and see their sharing settings
• Fully control document permissions (add or remove collaborators, change ownership, and change collaborator access rights)
• Monitor and receive exposure alerts, getting email alerts with newly exposed documents and changes in permissions (the same report is also available from within the application)
• Review all changes for documents created or shared with their domain (view changes in ownership and in access rights)
• Transfer ownership of documents from one user to another (in bulk or for a single file)

HIPAA Compliance in the Cloud

With the transition to the cloud and with companies storing documents in Google Docs, the same data control requirements must be followed when using the cloud as a file server. IT therefore is tasked with implementing technical controls and continuous access auditing to assure the reliability of data related to patients’ medical records in Google Docs.

CloudLock can be used as an effective tool to facilitate HIPAA compliance with Google Docs. It provides a comprehensive system to meet the requirements of HIPAA as specified in the security and the privacy rules. More specifically, CloudLock can assist with the following:

• Security Management Process – A complete access management system that provides domain administrators full visibility into all document access rights and exposure levels.
• Workforce Security – Audit documents and users to ensure that permission rights and sharing settings comply with the regulatory requirements
• Information Access Management – Alerts on new exposures and permissions changes are generated daily.
• Access Control – Domain administrators can review and fix document access rights to enforce correct access controls. Permissions can be changed by admins who are not collaborators on the documents.
• Audit Controls – Tamper-proof audit logs with all admin activities and changes for audit purposes. The audit log contains all activities performed by the admin(s) or the end-users who are authorized to use CloudLock. A Full document history includes all the permissions changes for any given document.
• Data Retention – CloudLock Protected Folders is built to support data retention for compliance and regulation purposes. Once placed into Protected Folders, documents cannot be deleted or changed in any way.

“Initially, we did not allow outside collaboration because of HIPAA and the concern that sensitive medical records could leak and be exposed. With CloudLock, I get the controls I need to make sure this does not happen and users can enjoy the collaboration features in Google Docs,” said Moran.

Ongoing Monitoring and Tracking Changes of All Documents in the Domain

CloudLock provides ongoing monitoring of the entire domain with email alerts on newly exposed documents and changes in permissions for existing documents. The same report is also available from within the application with the ability view the specific documents. Users can select a time range and view at once all the changes that happened in their domain for a specified time.

“The alerts and change reports are amazing features that allow me to see what has changed in our domain and if any documents have been mistakenly exposed,” said Moran.

With this feature, Google Apps administrators can stay on top of all changes in the domain with a very minimal time investment.

A Google Apps Marketplace Application Running on Google App Engine

CloudLock is a Google Apps Marketplace application running on Google App Engine. This ensures that all meta-data collected and all application processing remain within the same SAS70-II certified environment that supports Google Email, Calendar, Docs and other applications.

As a Google Apps Marketplace application, CloudLock is easy to install, and uses OpenID for single sign-on and SSL for all communications.