HIPAA Cloud Computing Guidance Adam Greene, JD, MPH Partner Rebecca Williams, BSN, JD Partner
Nature is a mutable cloud which is always and never the same Ralph Waldo Emerson 2
Agenda A few historical notes FAQs in Guidance Considerations For Covered Entity and Business Associate Customers For Cloud Service Providers Questions 3
History of HIPAA and Cloud Computing Pre 2013 Question over whether a cloud service provider ( CSP ) is business associate ( BA ) Definition of BA required use or disclosure of individually identifiable health information on behalf of covered entity ( CE ) Potentially a conduit, which transports PHI, with access only on random or infrequent basis; transient nature HIPAA Omnibus Rule (released January 2013) Revised definition of BA to include entity that creates, receives, maintains, or transmits protected health information ( PHI ) on behalf of CE or BA Did not use term cloud, but referred to data storage companies 4
HIPAA Cloud Computing Guidance HHS Office for Civil Rights ( OCR ) released cloud computing guidance on 10/6/16 Primarily a series of FAQs Confirmed that CSPs that create, receive, maintain, or transmit PHI are BAs 5
1. May a CE/BA use a CSP to store or process ephi? Yes! 6
1. May a CE/BA use a CSP to store or process ephi? Must enter business associate agreement ( BAA ) (obligation primarily falls on customer) Both CE/BA customer ( customer ) and CSP should conduct a risk analysis Customer should consider how cloud configuration (e.g., public, hybrid, private, etc.) affects its risk analysis 7
1. May a CE/BA use a CSP to store or process ephi? Any Service Level Agreement should be consistent with BAA and HIPAA CSP cannot withhold customer access to ephi CSP is directly subject to certain HIPAA provisions (e.g., Security Rule, impermissible uses and disclosures) 8
1. May a CE/BA use a CSP to store or process ephi? Remaining questions: Does this apply to colocation services? Storage of voicemail or text messages by a telecom? 9
2. If a CSP stores only encrypted PHI and does not have a decryption key, is it a BA? Yes, CSP receives and maintains PHI Even though CSP cannot view PHI Called No View Services Outstanding issue with OCR, but now resolved Encryption significantly reduces risk But, HIPAA safeguards still needed 10
2. No View Services Security Flexible & scalable to address no view services Some security safeguards may be satisfied for both parties through the actions of one Suggests confirming responsibilities of each party in writing CSP not responsible for compliance failures attributable solely to the customer Facts & circumstances 11
2. No View Services Privacy & Breach Still bound by use and disclosure restrictions May not impermissibly use PHI by blocking or terminating customer access Address individual rights of access, amendment, and accounting of disclosures Notification of breach of unsecured PHI May meet encryption safe harbor but what if encryption does not meet NIST specifications? 12
3. Can a CSP be a conduit? Generally, no 13
3. Can a CSP be a conduit? Scenario 1 Internet Service Provider ( ISP ) provides only conduit services to Customer A. Provides only data backup to Customer B. Not a BA of Customer A. BA of Customer B for maintained and transmitted PHI. Scenario 2 ISP provides Customer A with: (1) transmission services; and (2) data backup services. Guidance suggests ISP is a BA for both data backup and transmission services. If transmission services are truly separate, there may be reasonable argument that they fall under conduit exception. 14
3. Can a CSP be a conduit? Remaining questions: What is temporary for purposes of distinguishing between conduit and CSP? 30 days? Can a CSP provide both BA services and conduit services to the same customer? 15
4. Which CSPs offer HIPAA-compliant cloud services? OCR does not endorse, certify, or recommend specific technology or products 16
5. What if no BAA? Customer is violating HIPAA. CSP has a choice: 1. Come into compliance with HIPAA; or 2. Securely return PHI to customer or, if agreed to by the customer, securely destroy the PHI. CSP generally must complete action within 30 days to qualify for affirmative defense to penalties. 17
5. What if no BAA? Remaining questions: What if unsure? For example, discovers a breach involves ABC Medical Practice, but does not have a BAA. Does not know if breach involves PHI. If customer is nonresponsive, can CSP terminate account and delete the data? 18
6. If a CSP experiences a security incident involving ephi, must it report the incident to the CE/BA? Yes Security Incident: attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system 19
6. Must CSP report security incidents to its CE/BA customers? Under HIPAA, BAs must Identify and respond to security incidents Mitigate, to the extent practicable Document security incidents and their outcome Under HIPAA, BAs must report when security incident rises to the level of a breach Under BAA, BAs must report to their CE/BA any security incidents of which they become aware 20
6. Must CSP report security incidents to its CE/BA customers? Flexibility on reporting of security incidents Parties may work out the level of detail, frequency, or format of reports (e.g., based on risk to PHI) Remaining questions: Is advanced notice in the BAA sufficient? 21
7. Does HIPAA allow using mobile devices to access ephi in the cloud? Yes 22
8. Does HIPAA require a CSP to maintain ephi for some time period beyond when it has finished providing services to CE/BA? No 23
9. Are overseas BAs allowed? Yes Consider any additional risks in risk analysis 24
9. Are overseas BAs allowed? Remaining questions: Does this mean that every BA must be separately addressed in risk analysis? Is overseas BA directly subject to HIPAA? 25
10. Does HIPAA require CSPs that are BAs to provide documentation or allow auditing of their security practices by customers? No No HIPAA right for a customer to audit CSP or to require the CSP to provide security documentation, such as security questionnaires Note the CSP is directly liable for Failure to safeguard ephi under the Security Rule Impermissible uses and disclosures of PHI under the Privacy Rule BAA requires appropriate safeguards 26
10. Must CSPs provide documentation to or allow auditing of their security practices by customers? CE/BA may request additional assurances from CSP based on own risk analysis, risk management, other compliance activities Remaining questions: What are a CE/BA s due diligence obligations for a CSP? Are there monitoring or auditing expectations? 27
11. If a CS receives and maintains only information that has been de-identified in accordance with the HIPAA Privacy Rule, is it a BA? CSP is not a BA if only handles de identified information 28
Covered Customer Considerations Understand cloud services and environment Identify all uses of CSPs both authorized and unauthorized Include CSPs in risk analysis and risk management Have BAA in place with CSP Verify that SLA or service agreement is consistent with HIPAA Address customer and CSP obligations Understand SLA/service agreement Understand capabilities and limitations of the CSP and its services Consider due diligence and monitoring of CSP even though the CSP is not required to respond Encrypt, encrypt, encrypt 29
CSP Considerations Conduct a risk analysis and risk management plan. Treat all PHI as subject to HIPAA, even encrypted PHI. Create plan for responding to PHI where it doesn t belong e.g., come into compliance with HIPAA or require removal. Consider addressing how security responsibilities should be delegated and how customer is notified of responsibilities. Consider how to address privacy challenges (e.g., amendment requests) if you do not access PHI. Don t withhold access to PHI! 30
What s Not Addressed Where breach is on cloud but not CSP s fault, does CSP end up on HHS breach website? Any due diligence or monitoring required in addition to BAA? 31
Questions 32
For questions Becky Williams 206.757.8171 beckywilliams@ Adam Greene 202.973.4213 AdamGreene@ 33