HIPAA Cloud Computing Guidance

Similar documents
Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

The HIPAA Omnibus Rule

The simplified guide to. HIPAA compliance

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

HIPAA-HITECH: Privacy & Security Updates for 2015

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

The Relationship Between HIPAA Compliance and Business Associates

Policy and Procedure: SDM Guidance for HIPAA Business Associates

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

3/24/2014. Agenda & Objectives. HIPAA Security Rule. Compliance Institute. Background and Regulatory Overlay. OCR Statistics/

Breach Notification Remember State Law

HIPAA & Privacy Compliance Update

Boerner Consulting, LLC Reinhart Boerner Van Deuren s.c.

Agenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute

HIPAA Security Checklist

HIPAA Security Checklist

Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the HIPAA Privacy Rule.


Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

Into the Breach: Breach Notification Requirements in the Wake of the HIPAA Omnibus Rule

HIPAA Security and Privacy Policies & Procedures

DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE

Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Pilot Audits

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

HIPAA Compliance Officer Training By HITECH Compliance Associates. Building a Culture of Compliance

HIPAA Privacy, Security Lessons from 2016 and What's Next in 2017

Hospital Council of Western Pennsylvania. June 21, 2012

HIPAA/HITECH Act Update HCCA South Central Regional Annual Conference December 2, Looking Back at 2011

HIPAA ( ) HIPAA 2017 Compliancy Group, LLC

All Aboard the HIPAA Omnibus An Auditor s Perspective

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

Security Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

HIPAA Tips and Advice for Your. Medical Practice

QUALITY HIPAA December 23, 2013

HIPAA/HITECH Privacy & Security Checklist Assessment HIPAA PRIVACY RULE

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

A HIPAA Compliance and Enforcement Update from the HHS Office for Civil Rights Session #24, 10:00 a.m. 11:00 a.m. March 6, 2018 Roger Severino, MSPP,

HIPAA Privacy, Security and Breach Notification

Putting It All Together:

HIPAA Compliance and Auditing in the Public Cloud

HIPAA Comes of Age: 21 Years of Privacy and Security

Seven gray areas of HIPAA you can t ignore

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Incident Response: Are You Ready?

(c) Apgar & Associates, LLC

Healthcare Privacy and Security:

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty

Standard text messaging (mobile devices) Secure text messaging (mobile devices) Paging Instant messaging (Google Hangouts, Skype, etc.

efolder White Paper: HIPAA Compliance

HIPAA & IT THE HIPAA SECURITY RULE AND THE ROLE OF THE IT PROFESSIONAL DOES YOUR IT PROVIDER UNDERSTAND THEIR ROLE AND ARE THEY COMPLIANT?

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance

The ABCs of HIPAA Security

CYBERSECURITY. Recent OCR Actions & Cyber Awareness Newsletters. Claire C. Rosston

HIPAA Security Rule: Annual Checkup. Matt Sorensen

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

NE HIMSS Vendor Risk. October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS

HIPAA COMPLIANCE FOR VOYANCE

HIPAA For Assisted Living WALA iii

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

These rules are subject to change periodically, so it s good to check back once in a while to make sure you re still compliant.

HIPAA COMPLIANCE AND

Data Backup and Contingency Planning Procedure

Securing IT Infrastructure Improve information exchange and comply with HIPAA, HITECH, and ACA mandates

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

American Academy of Audiology Responses to Questions from HIPAA Webinar

Technology Workshop HIPAA Security Risk Assessment: What s Next? January 9, 2014

Texting and ing Patients, Providers and Others: HIPAA, CMS, and Suggestions

Data Processing Agreement for Oracle Cloud Services

Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016

What s New with HIPAA? Policy and Enforcement Update

ENCRYPTION: ADDRESSABLE OR A DE FACTO REQUIREMENT?

Schedule Identity Services

Integrating HIPAA into Your Managed Care Compliance Program

Patient Access & Charging for Medical Records. General Right to Access. Requests for Access. Charging for Copies

Secure Messaging Mobile App Privacy Policy. Privacy Policy Highlights

HIPAA 101: What All Doctors NEED To Know

HIPAA FOR BROKERS. revised 10/17

Security Lessons Learned from HIPAA Enforcement

HIPAA Security and Research VALERIE GOLDEN, HIPAA SECURITY OFFICER

Building Cloud Trust. Ioannis Stavrinides. Technical Evangelist MS Cyprus

HIPAA Privacy, Security and Breach Notification 2017

HIPAA Federal Security Rule H I P A A

Cloud Brief. Understanding Compliance in the Cloud. Introduction PCI DSS THE CLOUD STRATEGY COMPANY TM

EXHIBIT A. - HIPAA Security Assessment Template -

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

NOTICE OF PRIVACY PRACTICES

David C. Marshall, Esq. PACAH 2017 Spring Conference April 27, 2017

A Panel Discussion. Nancy Davis

Summary Analysis: The Final HIPAA Security Rule

Employee Security Awareness Training Program

HIPAA / HITECH Overview of Capabilities and Protected Health Information

It applies to personal information for individuals that are external to us such as donors, clients and suppliers (you, your).

Security and Privacy Breach Notification

HIPAA AND SECURITY. For Healthcare Organizations

HIPAA Compliance & Privacy What You Need to Know Now

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

Transcription:

HIPAA Cloud Computing Guidance Adam Greene, JD, MPH Partner Rebecca Williams, BSN, JD Partner

Nature is a mutable cloud which is always and never the same Ralph Waldo Emerson 2

Agenda A few historical notes FAQs in Guidance Considerations For Covered Entity and Business Associate Customers For Cloud Service Providers Questions 3

History of HIPAA and Cloud Computing Pre 2013 Question over whether a cloud service provider ( CSP ) is business associate ( BA ) Definition of BA required use or disclosure of individually identifiable health information on behalf of covered entity ( CE ) Potentially a conduit, which transports PHI, with access only on random or infrequent basis; transient nature HIPAA Omnibus Rule (released January 2013) Revised definition of BA to include entity that creates, receives, maintains, or transmits protected health information ( PHI ) on behalf of CE or BA Did not use term cloud, but referred to data storage companies 4

HIPAA Cloud Computing Guidance HHS Office for Civil Rights ( OCR ) released cloud computing guidance on 10/6/16 Primarily a series of FAQs Confirmed that CSPs that create, receive, maintain, or transmit PHI are BAs 5

1. May a CE/BA use a CSP to store or process ephi? Yes! 6

1. May a CE/BA use a CSP to store or process ephi? Must enter business associate agreement ( BAA ) (obligation primarily falls on customer) Both CE/BA customer ( customer ) and CSP should conduct a risk analysis Customer should consider how cloud configuration (e.g., public, hybrid, private, etc.) affects its risk analysis 7

1. May a CE/BA use a CSP to store or process ephi? Any Service Level Agreement should be consistent with BAA and HIPAA CSP cannot withhold customer access to ephi CSP is directly subject to certain HIPAA provisions (e.g., Security Rule, impermissible uses and disclosures) 8

1. May a CE/BA use a CSP to store or process ephi? Remaining questions: Does this apply to colocation services? Storage of voicemail or text messages by a telecom? 9

2. If a CSP stores only encrypted PHI and does not have a decryption key, is it a BA? Yes, CSP receives and maintains PHI Even though CSP cannot view PHI Called No View Services Outstanding issue with OCR, but now resolved Encryption significantly reduces risk But, HIPAA safeguards still needed 10

2. No View Services Security Flexible & scalable to address no view services Some security safeguards may be satisfied for both parties through the actions of one Suggests confirming responsibilities of each party in writing CSP not responsible for compliance failures attributable solely to the customer Facts & circumstances 11

2. No View Services Privacy & Breach Still bound by use and disclosure restrictions May not impermissibly use PHI by blocking or terminating customer access Address individual rights of access, amendment, and accounting of disclosures Notification of breach of unsecured PHI May meet encryption safe harbor but what if encryption does not meet NIST specifications? 12

3. Can a CSP be a conduit? Generally, no 13

3. Can a CSP be a conduit? Scenario 1 Internet Service Provider ( ISP ) provides only conduit services to Customer A. Provides only data backup to Customer B. Not a BA of Customer A. BA of Customer B for maintained and transmitted PHI. Scenario 2 ISP provides Customer A with: (1) transmission services; and (2) data backup services. Guidance suggests ISP is a BA for both data backup and transmission services. If transmission services are truly separate, there may be reasonable argument that they fall under conduit exception. 14

3. Can a CSP be a conduit? Remaining questions: What is temporary for purposes of distinguishing between conduit and CSP? 30 days? Can a CSP provide both BA services and conduit services to the same customer? 15

4. Which CSPs offer HIPAA-compliant cloud services? OCR does not endorse, certify, or recommend specific technology or products 16

5. What if no BAA? Customer is violating HIPAA. CSP has a choice: 1. Come into compliance with HIPAA; or 2. Securely return PHI to customer or, if agreed to by the customer, securely destroy the PHI. CSP generally must complete action within 30 days to qualify for affirmative defense to penalties. 17

5. What if no BAA? Remaining questions: What if unsure? For example, discovers a breach involves ABC Medical Practice, but does not have a BAA. Does not know if breach involves PHI. If customer is nonresponsive, can CSP terminate account and delete the data? 18

6. If a CSP experiences a security incident involving ephi, must it report the incident to the CE/BA? Yes Security Incident: attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system 19

6. Must CSP report security incidents to its CE/BA customers? Under HIPAA, BAs must Identify and respond to security incidents Mitigate, to the extent practicable Document security incidents and their outcome Under HIPAA, BAs must report when security incident rises to the level of a breach Under BAA, BAs must report to their CE/BA any security incidents of which they become aware 20

6. Must CSP report security incidents to its CE/BA customers? Flexibility on reporting of security incidents Parties may work out the level of detail, frequency, or format of reports (e.g., based on risk to PHI) Remaining questions: Is advanced notice in the BAA sufficient? 21

7. Does HIPAA allow using mobile devices to access ephi in the cloud? Yes 22

8. Does HIPAA require a CSP to maintain ephi for some time period beyond when it has finished providing services to CE/BA? No 23

9. Are overseas BAs allowed? Yes Consider any additional risks in risk analysis 24

9. Are overseas BAs allowed? Remaining questions: Does this mean that every BA must be separately addressed in risk analysis? Is overseas BA directly subject to HIPAA? 25

10. Does HIPAA require CSPs that are BAs to provide documentation or allow auditing of their security practices by customers? No No HIPAA right for a customer to audit CSP or to require the CSP to provide security documentation, such as security questionnaires Note the CSP is directly liable for Failure to safeguard ephi under the Security Rule Impermissible uses and disclosures of PHI under the Privacy Rule BAA requires appropriate safeguards 26

10. Must CSPs provide documentation to or allow auditing of their security practices by customers? CE/BA may request additional assurances from CSP based on own risk analysis, risk management, other compliance activities Remaining questions: What are a CE/BA s due diligence obligations for a CSP? Are there monitoring or auditing expectations? 27

11. If a CS receives and maintains only information that has been de-identified in accordance with the HIPAA Privacy Rule, is it a BA? CSP is not a BA if only handles de identified information 28

Covered Customer Considerations Understand cloud services and environment Identify all uses of CSPs both authorized and unauthorized Include CSPs in risk analysis and risk management Have BAA in place with CSP Verify that SLA or service agreement is consistent with HIPAA Address customer and CSP obligations Understand SLA/service agreement Understand capabilities and limitations of the CSP and its services Consider due diligence and monitoring of CSP even though the CSP is not required to respond Encrypt, encrypt, encrypt 29

CSP Considerations Conduct a risk analysis and risk management plan. Treat all PHI as subject to HIPAA, even encrypted PHI. Create plan for responding to PHI where it doesn t belong e.g., come into compliance with HIPAA or require removal. Consider addressing how security responsibilities should be delegated and how customer is notified of responsibilities. Consider how to address privacy challenges (e.g., amendment requests) if you do not access PHI. Don t withhold access to PHI! 30

What s Not Addressed Where breach is on cloud but not CSP s fault, does CSP end up on HHS breach website? Any due diligence or monitoring required in addition to BAA? 31

Questions 32

For questions Becky Williams 206.757.8171 beckywilliams@ Adam Greene 202.973.4213 AdamGreene@ 33

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback