HIPAA-compliant cloud, simplified

Marty Puranik
CEO, Atlantic.Net

Oregon Health & Science University stored the electronic health data of 3,044 people on a cloud server without a business associate agreement (BAA) in place. The Department of Health and Human Services (HHS) investigated the incident, resulting in a resolution agreement and corrective action plan. This example of a cloud-related HIPAA violation story was featured in the HHS’s official Guidance on HIPAA and Cloud Computing¹, released on Oct. 6, 2016. The agreement, announced by the OCR on July 18, 2016, included a settlement for $2.7 million, with the agency citing the academic institution’s “widespread HIPAA vulnerabilities.”

While that story could certainly be considered words of warning, the HIPAA cloud guidelines were not just about striking fear into the hearts of leaders in industries regulated by the law. They were published in order to help covered entities and business associates (BAs) protect themselves from violations, and safeguard their patients from breach or other compromise of their electronic protected health information (ePHI).

Here are some tips for your organization on ensuring a HIPAA-compliant cloud.

1. CSPs are BAs to the extent they interact with ePHI
Of primary interest within the guidelines is the role of cloud service providers (CSPs).

Covered entities include healthcare providers, plans, and data clearinghouses. Business associates are any organizations that provide services or products to the covered entity, as indicated by the parameters of a BAA between the two parties.

A cloud service provider is a HIPAA business associate if the services that it performs for the covered entity involve the creation, receipt, maintenance, or transmission of ePHI.
The HIPAA Security Rule requires that cloud service providers (and other business associates) properly safeguard the availability, integrity, and confidentiality of patient health data.

2. Doctors and other healthcare staff members can access cloud ePHI via mobile
It is considered secure to access cloud-based patient data via a smartphone or tablet, provided that all the technical, administrative, and physical safeguards are in place—as outlined in the Security Rule. HHS has issued a similar set of recommendations² on how to make sure that mobile devices are HIPAA-compliant.

3. There must be full transparency when anything goes wrong
When a cloud service provider is processing, storing, or transmitting ePHI on behalf of a covered entity or business associate, they must locate and respond appropriately to any exploits or other threats to the data. They must mitigate any damage, record what happened, and describe the results.

4. Risk analysis must proceed from both sides
The covered entity must understand the cloud ecosystem. That information is necessary for its risk analysis. The business associate should also conduct a risk analysis.

5. 100% de-identified data does not a BA make
If the CSP only works with de-identified data, it is not a BA.

However, a cloud service provider that only works with encrypted data and does not have any decryption keys—called a “no-view CSP” by healthcare compliance resource HITECH Answers³—is still considered a BAA that must comply with HIPAA. Data encryption is typically required by the cloud service provider so that they are not exposed to violations of the healthcare law.

The HHS noted that encryption is not enough, since it will not achieve the goals of continual integrity and availability of the data. Example concerns, in terms of maintenance of a compliant environment that goes beyond encryption, are contingency planning for disasters, and protection against corruption by malware. Encryption also does not properly address other guidelines within the healthcare law that are needed to keep the information confidential, said the HHS, “such as administrative safeguards to analyze risks to the ePHI or physical safeguards for systems and servers that may house the ePHI.”

6. There is no finger-pointing, but complicity, in certain scenarios
The BAA can spell out that one party is in charge of security (such as user authentication to avoid unauthorized access), but that does not automatically mean that the other organization is off the hook. There are essentially backups built into the system by dual responsibilities. For instance, the covered entity (such as a doctor’s office or hospital) must prevent unauthorized access to ePHI. However, the cloud service provider still has to have security mechanisms in place that will remove unauthorized individuals from HIPAA-protected data.

7. Cloud can be used by covered entities and business associates for the storage and processing of patient data
The organization should first sign a business associate agreement with the cloud service provider that will be processing, storing, or transferring the data. The agreement should specifically delineate the intended use or disclosure of the data by the outside party. In order to get into details of what you can expect in terms of process and performance from the cloud provider, that can be spelled out within the service level agreement (SLA). An SLA can have language that specifically targets concerns related to healthcare data, including reliability and availability; data recovery and backup; the return of information to a client after the contract is terminated; security expectations; and policies related to disclosure, use, and retention.

8. You cannot comply with HIPAA and use a CSP in the absence of a BAA
You will always need to have a BAA in place in order to work with a cloud provider. Note that the CSP has responsibilities as well that it must meet so that you can stay legal. Simply by being a business associate (by working with the electronic protected health information), the company is required by the Health & Human Services Department to meet HIPAA guidelines in its own right—beyond its obligations to you. Be aware that the firm must meet those HIPAA guidelines, whether or not a BAA is in effect with you. Troy Parker of the American Medical Association stresses the key point when using a CSP as part of your IT system: “[Y]ou must have a BAA with the CSP or both you and the CSP will be in violation of HIPAA ⁴.” In other words, in the story of the 3,000 patients on a cloud server, both the CSP and the covered entity were in violation.

References