HIPAA Regulatory Alert: Are you in the cloud? Time to scrutinize agreements
HIPAA Regulatory Alert: Are you in the cloud? Time to scrutinize agreements
Omnibus rule clarifies definition of cloud providers as business associates
Although healthcare organizations have been slower to adopt cloud-computing services than other industries,1 a recent study shows that 62% are using cloud services for some activities.2 However, 47% of respondents relying on the cloud are not confident that information is secure, and 23% are only somewhat confident.
The Health Insurance Portability and Accountability Act (HIPAA) omnibus rule addresses security concerns with expanded and clarified definitions of business associates (BAs) to include vendors who may transmit only data, a task performed by cloud service providers.
“Throughout the past two years of review and comment on the rule, cloud vendors insisted they be treated as a conduit of information and not as a business associate with access to data,” explains Cynthia J. Larose, Esq., an attorney and member of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo in Boston.
The actual conduit exception defined in the final rule is limited to companies such as wireless carriers, telephone companies, or delivery services such as FedEx, she explains. “Even if a cloud services provider is not contracted to work with the data of a client, the point is that the vendor has to have access to provide maintenance, upgrade service, or perform other operations.”
Identification of cloud service providers as business associates is not new, points out Anna L. Spencer, JD, an attorney with Sidley Austin in Washington, DC. “Even prior to HITECH [Health Information Technology for Economic and Clinical Health], the FAQ guidance on business associates indicated that companies that provided hosting or software services were considered business associates,” she explains. This fact was highlighted with the fine levied against Phoenix Cardiac Surgery for using a publicly accessible Internet calendar to schedule appointments and surgeries. One of the findings by the Office of Civil Rights (OCR) was that the practice “failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its ePHI.”3
The good news for hospitals and health systems is a “crystal clear” definition of cloud providers as business associates. The bad news is a critical need to review existing agreements with cloud providers to ensure they are held to the same standards as all business associates. “Covered entities must revisit all cloud vendor agreements,” recommends Larose. “Even if a cloud provider claims to be HITECH-compliant, the covered entity must ask for proof.” This proof includes documentation of a third party assessment report certifying existence of privacy and security controls within the organization, a Statement on Standards for Attestation Engagements (SSAE) No. 16, she suggests.
While the SSAE provides proof of an assessment, it is not healthcare-specific, so require other documentation as well, suggests Andrew Hicks, MBA, CISA, CCM, CRISC, director and healthcare practice lead at Coalfire, a Louisville, CO-based independent IT governance, risk, and compliance firm. “The best proof is a HITRUST [Health Information Trust Alliance] certification,” he suggests. “It is specific to healthcare and covers privacy and security concerns.” Third party reports should include documentation of penetration testing as well as vulnerability assessments, and all documentation should be requested annually, he adds. “The covered entity must hold the cloud service provider responsible for data.”
While all of this documentation should be in place at the start of any new contract, a covered entity should specify a timeframe in which existing vendors must prove compliance to continue the business arrangement, he recommends.
Know downstream vendors
The omnibus rule also points out the business associate’s responsibility for downstream vendors, says Spencer.
“This is critical for healthcare organizations working with cloud providers because many companies presenting themselves as cloud vendors are offering services that run on other cloud platforms such as Google or Microsoft,” she says.
While the vendor with whom the hospital contracts has privacy and security controls in place, the actual platform provider might not, she explains. For this reason, make sure the cloud provider is asking for the same proof of compliance from its own vendors.
“Encryption is an interesting wrinkle in this conversation about cloud provider responsibilities,” says Spencer. “Theoretically, the cloud service provider’s access to data is not an issue if the healthcare organization transmits only encrypted data.” At this point, there is no guidance as to whether or not this type of encryption eliminates the business associate responsibility for the cloud provider, she adds.
“Encryption minimizes risk but doesn’t eliminate it, so don’t select a cloud provider who can’t produce the documentation you require, even if you plan to only transmit and store encrypted data,” says Spencer. If you are already working with a cloud services vendor who won’t produce the documentation you require, be ready to move to a new vendor. “This is not always easy to do,” she admits.
Although business associates are required to return or destroy data after termination, a hospital’s current contract might not identify the vendor as a business associate, and language in the contract might not address status of the data upon early termination. “Operationally, it may not be easy to switch to another vendor, but even if it is, be sure you know what happens to your data with the previous vendor,” she adds.
Ensuring compliance with security requirements might take time and effort, but the risks are great, points out Spencer. “It’s not just about OCR penalties. If a cloud service provider can’t meet security requirements, and a hospital continues to do business with the vendor, the hospital is financially responsible for all the costs of a breach, which can be sizable when a cloud services provider is involved.”
References
1. CDW. Silver linings and surprises: CDW’s 2013 state of the cloud report. 2013. Accessed at http://webobjects.cdw.com/webobjects/media/pdf/CDW-2013-State-Cloud-Report.pdf.
2. Ponemon Institute. Third Annual Benchmark Study on Patient Privacy & Data Security. December 2012. Accessed at http://www2.idexpertscorp.com/assets/uploads/ponemon2012/Third_Annual_Study_on_Patient_Privacy_FINAL.pdf.
3. Department of Health and Human Services. HHS settles case with Phoenix Cardiac Surgery for lack of HIPAA safeguards. Press release. April 17, 2012. Accessed at http://www.hhs.gov/news/press/2012pres/04/20120417a.html.
Sources
For more information about cloud service providers as business associates, contact:
• Andrew Hicks, MBA, CISA, CCM, CRISC, Director and Healthcare Practice Lead, Coalfire, 361 Centennial Parkway, Suite 150, Louisville, CO 80027. Telephone: (303) 554-6333. Email: [email protected].
• Cynthia J. Larose, Esq., Member, Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, One Financial Center, Boston, MA 02111. Telephone: (617) 348-1732. Fax: (617) 542-2241. Email: [email protected].
• David S. Linthicum, Founder and Chief Technical Officer, Blue Mountain Labs, 12969 Manchester Road, St. Louis, MO 6313. Telephone: (314) 373-3435. Email: [email protected].
• Anna L. Spencer, JD, Partner, Sidley Austin, 1501 K St. NW, Washington, DC 20005. Telephone: (202) 736-8445. Email: [email protected].
Although healthcare organizations have been slower to adopt cloud-computing services than other industries,1 a recent study shows that 62% are using cloud services for some activities.2 However, 47% of respondents relying on the cloud are not confident that information is secure, and 23% are only somewhat confident.Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.