Executive Summary
Cloud-based applications for the storage and exchange of documents must have adequate security and HIPAA compliance before using them for protected health information (PHI). Failure to examine the service can result in a HIPAA violation even if no PHI is compromised.
-
Conduct your own assessment of a vendor’s security and compliance.
-
Insist on a third-party validation also.
-
Prohibit employees from signing up directly with cloud vendors.
Are you using an Internet-based storage document-sharing application with protected health information (PHI)? If so, you might not have properly assessed the security of that application, and that missed step, alone, could be deemed a HIPAA violation.
That’s the lesson from a recent settlement involving a hospital that used an Internet-based document-sharing application without having analyzed the risks associated with such a practice, says Nathan A. Kottkamp, JD, a partner with McGuireWoods in Richmond, VA. The Department of Health and Human Services Office for Civil Rights (OCR) recently announced a settlement with St. Elizabeth’s Medical Center (SEMC) in Brighton, MA. The hospital agreed to pay $218,400 in fines and abide by a lengthy corrective action plan.
OCR Director Jocelyn Samuels issued a statement warning that organizations “must pay particular attention to HIPAA’s requirements when using internet-based document-sharing applications.”
Essentially, the issue in the SEMC case was that the hospital didn’t treat the cloud provider as a business associate, Kottkamp explains. OCR investigated following a complaint about the use of the document-sharing app. OCR also was notified of a separate PHI breach related to data stored on a former workforce member’s unsecured personal laptop and USB flash drive. These violations compromised 1,093 individuals’ PHI, OCR reported.
In addition to the fine, the hospital agreed to assess and revise policies and procedures related to electronic storage and transmission of PHI. SEMC must submit proposed revisions to HHS for review and approval. In addition, SEMC has agreed to promptly investigate all “reportable events,” or instances in which a workforce member has failed to comply with data privacy policies, Kottkamp explains. All reportable events must be submitted immediately to HHS for review and after one year, SEMC also must submit a summary of all reportable events, along with actions taken to mitigate harm and prevent recurrence. The hospital also must submit an attestation that all workforce members have completed all required training relating to PHI.
Closer look at e-storage
Kottkamp says the SEMC settlement is another example of increased emphasis that OCR is placing on security of PHI stored and transmitted electronically.
“It’s becoming more and more prevalent to use cloud services of one sort or another, and many times we don’t think much of it. There’s an app to use, and there goes the document,” he says. “The definition of business associate, we have to presume, includes cloud storage providers, because OCR says that anyone who maintains PHI is considered a business associate even if they don’t necessarily have direct access to it.”
OCR has promised in the past to address the question more directly, but it has not offered guidance yet. Including these apps in the business associate definition might not be appropriate, because many of them have no knowledge of what information is in the stored documents and cannot access it, Kottkamp suggests. Nonetheless, OCR has said in the past that they must be business associates because if there is a breach, the storage provider is obligated under the notification rules.
“It’s a real challenge because providers don’t necessarily think to engage cloud hosts as business associates, and most of the cloud providers are not capable of fulfilling their requirements as a business associate, regardless of whether they’d be willing to sign a business associate agreement in the first place,” Kottkamp says.
Even if the cloud provider acknowledges being a business associate, it might not be willing to sign a healthcare organization’s business associate agreement (BAA) because the obligations and risk are not worth the business potential, he notes. “If you’re a hospital and have specific terms in your BAA, good luck trying to get Google to sign that before you use Google Docs,” Kottkamp says. “Google is just not going to do that.”
Some cloud providers might promote themselves as HIPAA-compliant and be willing to sign BAAs, Kottkamp says. However, he also cautions about vendors who seem too eager to sign your BAA. “If they are just so eager to sign the agreement and don’t ask you anything at all about it, you might wonder if they’re just signing it to close the deal, but compliance is nonexistent,” he says. “Vetting of vendors is an obligation of healthcare providers these days.”
When properly vetted to ensure security and HIPAA compliance, working with only one cloud storage provider could even improve PHI security for the hospital, Kottkamp says. Using one reliable cloud provider could reduce the risk of having documents stored on individual laptops and jump drives, the sources of many HIPAA breaches.
Hospitals should conduct a vendor risk assessment before signing a BAA with a cloud storage provider, says Dan Zitting, CPA, CISA, GRCA, vice president of product design and management at ACL Services, based in Vancouver, Canada. ACL Services provides risk management and audit services, including some cloud-based services, to healthcare organizations. He previously worked as an IT security auditor for hospitals.
“You want to understand the vendor’s approach to security control and make sure they have mapped out everything related to HIPAA security and privacy,” he says. “HIPAA is more difficult in this regard than some other compliance concerns because there is no actual certification for vendors.”
A hospital also should insist on a third-party audit or validation of the vendor’s data security and HIPAA compliance, Zitting says. Though there is no HIPAA certification, many other certifications include the same data security that is of concern with HIPAA. The ISO-9000 certification from the International Organization for Standards (ISO) is one example.
Kottkamp also cautions that a hospital can find its PHI on a cloud storage system without any of this happening if an employee bypasses the IT department. This situation can happen if the employee wants to use a cloud storage system for convenience, even thinking it offers better security, and arranges the service directly.
“It doesn’t go through the normal vendor risk management process. We see that happening all the time,” Kottkamp explains. “There have to be policies and procedures about how PHI is stored and transmitted, particularly when using a cloud-based service outside the hospital, emphasizing that the hospital must approve the vendor first. I don’t think very many hospitals have written that policy or made it extremely clear to employees.”
