Cloud Computing and HIPAA Privacy and Security

Size: px
Start display at page:

Download "Cloud Computing and HIPAA Privacy and Security"

Transcription

1 Cloud Computing and HIPAA Privacy and Security This is just one example of the many online resources Practical Law Company offers. Christine A. Williams, Perkins Coie LLP, with PLC Employee Benefits & Executive Compensation This Note addresses the legal and contractual considerations relating to privacy and security under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in the context of cloud computing. The Note includes specific contract provisions that should be considered when negotiating or evaluating a contract with a cloud provider. To access this resource and others, visit practicallaw.com. Many covered entities (CEs) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) are considering moving information, including protected health information (PHI), to cloud storage, or using software and applications that incorporate PHI and reside on the cloud. The HIPAA privacy and security rules issued by the Department of Health and Human Services (HHS) do not specifically address the use of cloud services, and there are many unanswered questions about how best to capture the predicted advantages of cloud computing while also properly protecting PHI. This Practice Note addresses legal and contracting issues related to the intersection of HIPAA privacy and security and cloud computing, including: Cloud computing service models. Business associate (BA) status and agreements. Special concerns in contracting with cloud providers. Key provisions that should be addressed in contracts with cloud providers. For more information on HIPAA privacy and security issues, see Health Insurance Portability and Accountability Act of 1996 (HIPAA) Toolkit. Definition of Cloud Computing Cloud computing is defined in guidelines issued by the National Institute of Standards and Technology (NIST) as "a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction." In plainer language, cloud computing gives users on-demand access to computing resources from any location, with the ability to increase or decrease capacity as needed, by using pooled resources that are available to multiple users. In general, the expectation of the user (and the cloud provider) is that the user will need little direct interaction with the provider after: A contractual arrangement is in place. The interface between the user and provider is set up. A user can create its own private cloud, or a group of users can create a community cloud. There are also hybrid clouds composed of two or more cloud infrastructures (for example, a community cloud and a private cloud) that share technology to allow data and application portability. The more common structure, however, is the public cloud, which is available to any user that enters into an appropriate contract with the cloud provider. Cloud Computing Service Models NIST divided cloud computing into three service models: Infrastructure as a Service (IaaS) (see Infrastructure as a Service). Software as a Service (SaaS) (see Software as a Service). Platform as a Service (PaaS) (see Platform as a Service). CEs are most likely to use IaaS or SaaS. Learn more about Practical Law Company practicallaw.com

2 Cloud Computing and HIPAA Privacy and Security Infrastructure as a Service IaaS allows the user to have access to traditional computing resources (such as storage and processing) with the ability to use operating systems and applications of the user's own choosing (for example, Box.com offers IaaS). Under this model, the user controls the operating systems, storage, and applications, and may have limited control of some networking components such as host firewalls. NIST identifies this model as: Promoting interoperability as well as portability of user workloads because network protocols, central processing unit instruction sets and device interfaces are relatively welldefined. Placing more system management responsibility on users than either SaaS or PaaS. Software as a Service SaaS makes the provider's applications (such as or productivity tools) that reside on the cloud available to users on demand (for example, Google Apps for Business). Under this model, the cloud provider is usually responsible for keeping the software updated and installing patches, while the user's control is often limited to application configuration settings. The user avoids time-consuming software installation procedures and gains the advantage of a small software footprint on the user's computers. Platform as a Service PaaS gives the user a toolkit supported by the provider to develop applications and make those applications, and applications acquired by the user, available to the user's customers (for example, both AT&T and Oracle offer PaaS). This model usually gives the user control over the user's applications and may offer the user control of configuration settings for the hosting environment. As with SaaS, the user gains the advantage of a small software footprint on the user's computers. Cloud Economics Many cloud providers predict that businesses can reduce computing and data storage costs by using the cloud because the businesses do not need to invest in ownership and maintenance of large numbers of servers or the personnel to maintain them. The SaaS and PaaS models also free users from needing to: Purchase and manage software licenses. Keep the software updated and patched. Instead, businesses can contract with a cloud provider to use what capacity and software they need, and have greater (or lesser) capacity available as needed, with system and software maintenance handled by the cloud provider at a lower total cost. In addition, the cloud may offer greater convenience and efficiency for businesses by making resources and data available as needed from any location and any device that offers an appropriate interface (for example, a browser and an internet connection). The ability to avoid significant investment in servers, staff and software may be particularly attractive to start-up companies and established companies that are testing proposed changes to systems. Cloud services are generally measured and priced in units of usage that are identified to specific users. The units might measure: Time or manner of use. Number or type of users. Number of transactions executed or number of records processed. Specific resources, such as storage, used. Bandwidth used. Other criteria identified in the contract between the cloud provider and the user. Cloud Privacy and Security for PHI Although cloud computing may provide improved efficiency and reduced cost for users, it is not a cure-all for privacy and security issues. A user might improve the privacy and security of its data by moving to the cloud, but the user must still manage privacy and security within the user's own workforce and facilities. In addition, because the cloud is accessed through a network, the user will need: A secure network that is sufficiently robust to import or export the types and amounts of data that will be stored and used. At least some IT staff to maintain the reliability of that network and any user-managed software or systems. Clouds are subject to all of the privacy and security issues that affect traditional, one-user computing systems and networks. In addition, when PHI is moved to the cloud, the CE loses some degree of control. In the public and community cloud models: Servers are not usually dedicated to particular users. The data of more than one user may be stored on a single server and user data and workloads moved from server to server (and even from one geographic location to another) without the user's knowledge. Also, cloud providers may be attractive targets for hackers because of the concentration of data. When using cloud services, the CE is relying largely on the cloud provider's expertise in managing and maintaining access to the CE's data while also keeping the data secure. Cloud providers often: Impose uniform, enterprise-wide management, privacy and security protocols. Offer users additional configurable tools to increase the privacy and security protections provided by the uniform protocols. 2

3 For example, the cloud provider will grant access to anyone who is able to log in using the required identifiers, and may establish the type and strength of the required identifiers. But the user will determine which members of its workforce are given the necessary identifiers, and may be able to require stronger identifiers than the minimum required by the cloud provider. Careful drafting of contract provisions is crucial in establishing appropriate privacy and security protections for PHI in the cloud. Also, users can mitigate the risks of moving data to the cloud by: Reviewing third-party reports on the cloud provider's privacy and security safeguards (for example, SSAE-16 reports). Examining the cloud provider's track record and user audit rights. Business Associate Status and Agreements Many of the HIPAA privacy and security requirements that apply to CEs must also be imposed by contract on companies or individuals that perform services for the CE, if those services require access to or use PHI. Currently, under the final privacy and security regulations, the CE is responsible for ensuring that an appropriate contract (referred to as a business associate agreement (BAA)) is in place. The Health Information Technology for Economic and Clinical Health (HITECH) Act makes BAs directly responsible for compliance with HIPAA privacy and security requirements, regardless of whether the CE obtains a BAA. However, final regulations implementing that requirement have not been issued and HHS has stated that it will not take enforcement action until at least 180 days after publication of final regulations. Currently, and in addition to numerous other requirements, a BAA must require the BA to: Use appropriate safeguards to prevent use or disclosure of the information other than as provided by the BAA. Implement administrative, physical and technical safeguards that reasonably and appropriately protect PHI. The status of cloud providers that hold PHI is an important but gray area with no specific guidance yet from HHS. The definition of a BA under HHS regulations offers little help. In general terms, an entity is a BA if it either: Performs or assists in performing functions or activities for a CE that involve the use or disclosure of PHI. Provides certain kinds of services to a CE, including management and administrative services, if those services involve the disclosure of PHI by the CE to the service provider. (For a discussion of BAs under HIPAA, see Practice Note, HIPAA Privacy Rule: Entities Covered by the Privacy Rule.) Whether storage of PHI that is uploaded by a CE is enough, by itself, to make a cloud provider a BA is unclear. The answer might depend on: The degree to which the cloud provider has access to the PHI. Whether the cloud provider uses the PHI in addition to storing it. Whether the receipt of PHI that the cloud provider will not access or use except in rare instances is enough to make a cloud provider a BA. For example, if a CE stores PHI on the cloud and the contract gives the cloud provider total access to the PHI (an "open box" model), HHS will almost certainly conclude that the cloud provider is a BA and a BAA must be in place. However, if the agreement with a cloud provider prohibits the provider from having access to the PHI (a "sealed box" model), the cloud provider may not fit the definition of a BA. Many agreements grant the cloud provider limited access to the data stored by the user (a "flip-top box" model), such as to assist the user if there are access problems or if the user's data is subpoenaed by a third party. In those cases, it is unclear whether the cloud provider is a BA, but the conduit exception may be a useful analogy (see Conduit Exception to Business Associate Status). Conduit Exception to Business Associate Status In the preamble to the final HIPAA privacy rule, HHS stated that a BAA is not required with an "organization that acts merely as a conduit" for PHI. The preamble gives as examples of conduits: The US Postal Service. Private couriers and their electronic equivalents. Conduits transport information but do not access it except on a "random or infrequent basis as may be necessary for the performance of the transportation service, or as required by law." According to the preamble, a conduit is not a BA because no disclosure is intended and the likelihood of exposure of any particular PHI to a conduit is very small. Although a cloud provider that stores PHI differs in some respects from a conduit that merely transports PHI, a cloud provider that offers a flip-top box model is similar in many other respects: The cloud provider does not access the PHI except on a random or infrequent basis as necessary to assist the CE if there is a problem accessing the PHI or as required by law. No disclosure of PHI to the cloud provider is intended. The likelihood of exposure of PHI is small. Whether HHS would agree that a cloud provider offering a flip-top box model is a conduit rather than a BA is unknown. The most cautious CEs will want BAAs. Many cloud providers will resist taking on all of the obligations of a BA because many of those obligations are inconsistent with the cloud provider business model. For example, the individual rights provisions of the HIPAA privacy rule that impose obligations on BAs relating to access to and amendment of PHI that is maintained in designated record sets seem ill-suited to a cloud provider that merely stores PHI (see Standard Document, HIPAA Business Associate Agreement). In addition, in many (or perhaps most) cases, the cloud provider will not know whether it is holding PHI or, if it knows that some of the data is PHI, it might not know which data is PHI and which is not. 3

4 Cloud Computing and HIPAA Privacy and Security Contracting with Cloud Providers Negotiating a contract for cloud computing services requires cooperation among several groups of the cloud user's workforce, including procurement, legal, IT, compliance and the groups that are expected to use the cloud computing services. It is highly unlikely that a cloud provider's form contract will fit every user, and the contract and service level agreements (SLAs) should address the user's particular needs. When PHI is being moved to the cloud, there is an even greater need to ensure that compliance requirements, such as privacy and security, are addressed in a way that reflects both the user's obligations and the provider's capabilities. Moving any data to the cloud raises privacy and security issues, but moving PHI to the cloud raises special concerns. When PHI resides on servers that are owned by a CE, the ability to control and protect the PHI is entirely within the CE's power. When PHI resides on the cloud, however, the CE must make sure that its contract with the cloud provider properly addresses the cloud provider's obligations, including privacy and security obligations, whether through a BAA or other contract provisions. Many public cloud providers offer their services on a nonnegotiable, take-it-or-leave-it basis, sometimes as an online clickwrap agreement. A CE should be extremely cautious before moving any PHI to a cloud provider that refuses to negotiate contract terms. One size does not fit all, and especially not when PHI is involved. In addition, most cloud providers service users in multiple business sectors (for example, retail, manufacturing and service professions) and their protocols are not specifically adapted to a particular type of data such as PHI, which has significant and specialized compliance and regulatory requirements. There is some speculation that a niche industry of cloud providers that are specifically set up and designed to handle PHI might develop. Sometimes entities referred to as integrators buy access to cloud services in bulk and resell the access in smaller increments to users. Integrators may be willing to enter into customized contracts with users, but users should determine whether the integrator is: In fact able to provide any customized services or protocols that are promised. Assuming liability beyond that of the cloud provider to the integrator. Also, the integrator's financial stability should be a crucial factor in the user's purchasing decision. Contracts with cloud providers should include all the standard provisions found in any contract for services, including: Identification of the parties. The term of the agreement. Termination provisions. Notice provisions and procedures. Liability and indemnification provisions. In addition, contracts with cloud providers should include, either in the body of the contract or as an appendix or exhibit, SLAs that establish technical performance promises and the penalties that will be paid or remediation that will be undertaken if the promised level of performance is not met. Some of the key contract and SLA provisions that should be considered when negotiating or evaluating a contract with a cloud provider include: User tools (see User Tools). Disaster recovery (see Disaster Recovery). Audit rights (see Audit Rights). Unilateral changes to protocols (see Unilateral Changes to Protocols). Security and privacy (see Security and Privacy). Return of data (see Return of Data). Intellectual property rights (see Intellectual Property Rights). Encryption (see Encryption). Data location (see Data Location). User Tools Cloud providers generally offer tools that allow their customers to establish privacy and security protocols to meet the customers' particular needs. If the customer is a CE, it should have a clear understanding of: What tools are available and how the protocols can be configured. Which privacy and security protections the cloud provider has in place on an enterprise-wide basis. Before entering into a contract, the CE should determine whether the tools and provider protections offer sufficient strength and flexibility to meet the CE's needs. It is equally important for the CE to make use of the tools to protect its data appropriately. A CE that has poor privacy and security in place at its own facilities and on its own servers, and that does not actively manage access to PHI in the cloud, might not automatically gain better privacy and security simply by moving PHI to the cloud, even if the cloud provider has strong privacy and security protections in place. Disaster Recovery Responsibility for the various aspects of disaster recovery should always be addressed in contracts with cloud providers. Recovery might be easier for data stored on the cloud rather than on a CE's own servers because cloud providers generally offer multiple redundancy, which means that: The customer's PHI is copied, updated and stored on servers at several locations. A disaster affecting one location still leaves the PHI available from other locations. 4

5 The exact requirements for redundancy should be covered in the contract. Audit Rights Cloud providers are often in the process of simultaneously: Adding capacity and customers. Making changes to their systems and protocols. Therefore, CEs should include an audit provision in their contracts with cloud providers so that a CE can periodically review whether the cloud provider is implementing all of the privacy and security protections required by the contract and by the cloud provider's own privacy and security protocols. Some cloud providers do not grant audit rights to individual customers because allowing each customer to send in its own auditors might be disruptive. Instead, those cloud providers often arrange for an independent auditor to: Review the provider's systems and protocols, both as documented and as implemented. Make that single report available to all customers, or all customers that request it. However, the difficulty with any audit is that it is a snapshot of conditions at a particular time, and the cloud provider could make changes the next day that would not be visible to the user until the next audit. In response to this concern, continuous monitoring by users is becoming more common and is required for federal agency use of cloud services. A continuous monitoring process is described in NIST Special Publication Unilateral Changes to Protocols Contracts between CEs and cloud providers should always address the security, privacy and other protocols that will be implemented by the provider. However, the best contract provisions will be of no use if the cloud provider has the unilateral right to change its protocols. If the user is relying to any extent on the provider's protocols: The user should, at a minimum, have the right to advance notice of planned changes to those protocols. The notice should be given far enough in advance to permit the user to migrate its data if it finds the planned changes unacceptable. Migrating data can be time-consuming and expensive, though, so a better contract provision would prohibit the cloud provider from unilaterally changing protocols, or at least specified protocols that are of particular importance to the user, such as those relating to privacy and security. Security and Privacy The HIPAA privacy regulations require CEs to have in place appropriate administrative, technical and physical safeguards to protect the privacy of PHI (see Practice Note, HIPAA Privacy Rule). The HIPAA security regulations require CEs to implement reasonable and appropriate policies and procedures to address the administrative, technical and physical safeguards for electronic PHI (ephi) (see Practice Note, HIPAA Security Rule). Although the security regulations address numerous aspects of the protection of ephi, with a total of 54 standards and implementation specifications, these regulations: Are not prescriptive. Do not require use of specific tools, software, hardware or other protections. Instead, the security regulations are written in terms of taking reasonable and appropriate action, based on a: Risk assessment performed by the CE. Risk management plan developed by the CE based on the findings of the risk assessment, with periodic evaluations to address changes in circumstances or environment. The security standards and implementation standards essentially identify things that the CE should address but not how to address them. Also, the security regulations: Specifically permit the CE to use any security measures that allow for reasonable and appropriate implementation of the standards and implementation specifications. Require the CE to take into account the CE's size, complexity, capabilities, technical infrastructure, hardware and software security capabilities. While this approach is intended to allow scalability and flexibility, it puts the burden on the CE to determine exactly what is reasonable and appropriate, and leaves the CE with the risk that, if a breach occurs or a complaint is filed, HHS investigators might not agree with the CE's decisions regarding what was reasonable and appropriate. In addition, other than noting that any contract with a cloud provider should address privacy and security of PHI, it is difficult to provide advice on what privacy and security requirements should be in the contract. An effective approach likely involves: An evaluation by the CE of its risk assessment to determine whether it is up to date. Revising the CE's risk management plan as necessary based on the evaluation. Determining which privacy and security protocols and tools offered by the cloud provider will best protect the PHI. If the CE determines that a cloud provider cannot provide reasonable and appropriate privacy and security protection, the CE should attempt to find a cloud provider with better protections or should defer uploading PHI. Return of Data The HIPAA privacy regulations require that PHI be returned or destroyed at the termination of a BAA. However, any cloud user (not 5

6 Cloud Computing and HIPAA Privacy and Security just a CE) should be sure it has appropriate contractual provisions in place to prevent data from being breached or otherwise falling into the wrong hands after a contract with a cloud provider ends (see Practice Note, HIPAA Privacy Rule). Requirements for secure data deletion, on the cloud user's request, should be considered for inclusion in any contract with a cloud provider. Intellectual Property Rights Some cloud provider contracts are so broad that they purport to grant the provider rights in any intellectual property that is uploaded to the provider's servers. The risks inherent in these provisions are obvious, and any cloud user (not just CEs) should avoid giving away its intellectual property. Encryption Under the HIPAA security regulations, encryption (at rest and in transmission) is an addressable implementation specification (see Practice Note, HIPAA Security Rule). Regardless of whether a CE has encrypted its PHI before moving it to the cloud, it should contract for automatic encryption of everything that it uploads with: A robust encryption algorithm. Keys of specified strength. Clear provisions covering key management and access. Encryption adds a layer of protection and, if the encryption is done in a manner that meets HHS requirements, the PHI is not subject to the breach notification obligations put in place by the HITECH Act (see Practice Note, HIPAA Privacy Rule: Notification of Breach of Unsecured PHI). The cloud provider usually keeps a copy of the encryption key so that it can assist the customer in the event of access problems. There are also technological solutions that: Allow a user to encrypt all information before it is uploaded to the cloud provider. Keep the data encrypted while it is at rest on the provider's servers, with the user holding the encryption key. Whether these solutions will become widely used remains to be seen, but in the event of an access issue, they would make it difficult for the cloud provider to assist the user. Data Location Although the HIPAA privacy and security regulations do not require PHI to be maintained within the US, a contract provision prohibiting the cloud provider from moving data outside the US may avoid problems. Data protection requirements outside the US vary widely and often differ from US requirements, and storing data outside the US can trigger application of the laws of other countries. Risking less legal protection is undesirable, but so is risking the application of laws that may require significantly different rules with which the CE or other cloud user is not familiar. In addition, in the event of litigation, data that is subject to non-us laws may: Give rise to issues of personal jurisdiction, venue and service of process. Require the retention of counsel authorized to practice in the courts of the country where the data is stored. Service Level Agreements with Cloud Providers Contracts with cloud providers should always include, either as part of the contract itself or as an appendix or exhibit to the contract, SLAs that document: The metrics by which the provider's performance will be measured. The penalties that the cloud provider will pay for failure to meet the metrics. The subjects to be addressed in SLAs will depend, in part, on the type of services the user is purchasing from the cloud provider. For example, while all cloud users will want to address service availability, users of SaaS (see Software as a Service) will also want to include SLAs that address the timing of installation of software updates and patches. All agreements with cloud providers should include SLAs that address the following issues, among others. Availability Availability refers to the ability to access and use the cloud services. One of the underlying assumptions of cloud services, and a selling point, is that the cloud allows users to access data at any time, so that workers in different time zones or with diverse work schedules can be accommodated. But the definition of availability in the SLAs is important, and even a promise of 100% availability (except for scheduled downtime) might be misleading. For example, it may be unclear whether the SLAs define the service as available when: The cloud network is functioning and responsive, even though a user cannot access specific files. The specific files can be accessed but the system is slow in responding. In addition to defining availability carefully, the metrics for availability should also be defined. As two examples: There is a big difference between loading a file of a specified size within five seconds and within 30 seconds. A metric that defines unavailability as failure to load a file after three requests is much less satisfactory than a metric that requires only one failed request. Methods of measurement, and burden of proof, are also important. If the cloud user must notify the service provider of alleged unavailability, and provide evidence, the SLAs might be worthless. However, if there is a third-party availability monitoring system in place, the user's burden will be substantially lessened. The cloud provider should specifically address: The percentage of time that systems and data will be available. The maximum of planned downtime or scheduled outages (for example, for system maintenance). The schedule of planned downtime. Use of PLC websites and services is subject to the Terms of Use (http://us.practicallaw.com/ ) and Privacy Policy (http://us.practicallaw.com/ ). 6

7 How availability will be calculated. It is common to see availability metrics approaching 100%, but the method of calculating availability might make those promises illusory. The time intervals for measuring availability vary and can range from a low of five minutes (so that a four-minute failure does not count against the availability metrics) to a high of one hour or more (so that a 59-minute failure does not count). Also, the period over which availability is measured can range from one billing cycle to a year or more. The longer the time interval and the longer the period for measuring availability, the more downtime the user may experience without the cloud provider failing to meet its SLAs. In addition, the definition of availability should be reviewed carefully, to determine whether it includes all response failures or is limited to response failures with specific causes. Data Deletion The SLAs should specify an outside time limit for deletion of data. While data deletion often occurs on a regular schedule, the metrics for data deletion in special cases (for example, if the user is served with a cease and desist order) might vary and the time limits might be relatively short. Customer Service Although one of the underlying principles of cloud computing is that there is relatively little interaction between the workforces of the user and the provider, there will always be events requiring person-to-person communication. For those events, the SLAs should place an outside limit on provider response time. Depending on the service model, this SLA might need to separately address: Call center response time. Technical support response time. System Response Speed A slow system is often as much of a problem as a system that is down. Therefore, while the availability metrics address system outages, the SLAs should also address the response speed of the systems. The appropriate metrics for system response speed will depend on the service model and the user's specific needs. Responsiveness to Load Changes Flexibility is one of the hallmarks of cloud services, and cloud users expect to be able to increase their usage rapidly and easily, within any contractual limits. The SLAs should address and limit any lag that may occur between: The user's upload of additional data. The cloud system's ability to accommodate the data. Disaster Recovery Time Cloud providers usually store users' data in multiple locations (both logically and geographically) to be able to respond to disasters and catastrophic outages or failures. The SLAs should place an outside limit on the time it will take the cloud provider to deliver availability on redundant systems. When availability is provided through redundant systems, there should also be a limit on how long it takes the cloud provider to return its other systems to availability so that any contractual terms regarding the number of redundant systems or copies of data are not violated. Other Issues Any provision in a cloud service contract that can be quantified can also be reflected in the SLAs. SLAs should also specify: How the penalties for failures to meet the metrics are calculated. How the penalties are received by the users (for example, as setoffs against fees owed by the user, no-fee extensions of services). When the penalties are received by the users (for example, setoffs against future fees or fees currently owed). For the links to the documents referenced in this note, please visit our online version at For more information on HIPAA compliance, search for the following resources on our website. Practice Notes: HIPAA Privacy Rule (http://us.practicallaw.com/topic ) Security Rule (http://us.practicallaw.com/topic ) Practical Law Company provides practical legal know-how for law firms, law departments and law schools. Our online resources help lawyers practice efficiently, get up to speed quickly and spend more time on the work that matters most. This resource is just one example of the many resources Practical Law Company offers. Discover for yourself what the world s leading law firms and law departments use to enhance their practices. To request a complimentary trial of Practical Law Company s online services, visit practicallaw.com or call

Cloud Computing: Legal Risks and Best Practices

Cloud Computing: Legal Risks and Best Practices Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent

More information

FAQ: HIPAA AND CLOUD COMPUTING (v1.0)

FAQ: HIPAA AND CLOUD COMPUTING (v1.0) FAQ: HIPAA AND CLOUD COMPUTING (v1.0) 7 August 2013 Cloud computing outsourcing core infrastructural computing functions to dedicated providers holds great promise for health care. It can result in more

More information

The HIPAA Security Rule: Cloudy Skies Ahead?

The HIPAA Security Rule: Cloudy Skies Ahead? The HIPAA Security Rule: Cloudy Skies Ahead? Presented and Prepared by John Kivus and Emily Moseley Wood Jackson PLLC HIPAA and the Cloud In the past several years, the cloud has become an increasingly

More information

The Challenges of Applying HIPAA to the Cloud. Adam Greene, Partner Davis Wright Tremaine LLP

The Challenges of Applying HIPAA to the Cloud. Adam Greene, Partner Davis Wright Tremaine LLP The Challenges of Applying HIPAA to the Cloud Adam Greene, Partner Davis Wright Tremaine LLP AGENDA Key Concepts Under HIPAA HIPAA Obligations for a BA Questions Remain Reaching Answers Resources KEY CONCEPTS

More information

The Keys to the Cloud: The Essentials of Cloud Contracting

The Keys to the Cloud: The Essentials of Cloud Contracting The Keys to the Cloud: The Essentials of Cloud Contracting September 30, 2014 Bert Kaminski Assistant General Counsel, Oracle North America Ken Adler Partner, Loeb & Loeb LLP Akiba Stern Partner, Loeb

More information

Security Issues in Cloud Computing

Security Issues in Cloud Computing Security Issues in Computing CSCI 454/554 Computing w Definition based on NIST: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources

More information

Am I a Business Associate?

Am I a Business Associate? Am I a Business Associate? Now What? JENNIFER L. RATHBURN Quarles & Brady LLP KATEA M. RAVEGA Quarles & Brady LLP agenda» Overview of HIPAA / HITECH» Business Associate ( BA ) Basics» What Do BAs Have

More information

Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015

Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015 Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015 Katherine M. Layman Cozen O Connor 1900 Market Street Philadelphia, PA 19103 (215) 665-2746

More information

Cloud Computing: Contracting and Compliance Issues for In-House Counsel

Cloud Computing: Contracting and Compliance Issues for In-House Counsel International In-house Counsel Journal Vol. 6, No. 23, Spring 2013, 1 Cloud Computing: Contracting and Compliance Issues for In-House Counsel SHAHAB AHMED Director Legal and Corporate Affairs, Microsoft,

More information

OWASP Chapter Meeting June 2010. Presented by: Brayton Rider, SecureState Chief Architect

OWASP Chapter Meeting June 2010. Presented by: Brayton Rider, SecureState Chief Architect OWASP Chapter Meeting June 2010 Presented by: Brayton Rider, SecureState Chief Architect Agenda What is Cloud Computing? Cloud Service Models Cloud Deployment Models Cloud Computing Security Security Cloud

More information

AskAvanade: Answering the Burning Questions around Cloud Computing

AskAvanade: Answering the Burning Questions around Cloud Computing AskAvanade: Answering the Burning Questions around Cloud Computing There is a great deal of interest in better leveraging the benefits of cloud computing. While there is a lot of excitement about the cloud,

More information

A LEGAL GUIDE TO CLOUD COMPUTING

A LEGAL GUIDE TO CLOUD COMPUTING A LEGAL GUIDE TO CLOUD COMPUTING INTRODUCTION Many companies are considering implementation of cloud computing services to decrease IT costs while providing the flexibility to scale usage on demand. The

More information

Introduction to Cloud Computing. Srinath Beldona srinath_beldona@yahoo.com

Introduction to Cloud Computing. Srinath Beldona srinath_beldona@yahoo.com Introduction to Cloud Computing Srinath Beldona srinath_beldona@yahoo.com Agenda Pre-requisites Course objectives What you will learn in this tutorial? Brief history Is cloud computing new? Why cloud computing?

More information

Cloud Computing. What is Cloud Computing?

Cloud Computing. What is Cloud Computing? Cloud Computing What is Cloud Computing? Cloud computing is where the organization outsources data processing to computers owned by the vendor. Primarily the vendor hosts the equipment while the audited

More information

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES: CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES: Privacy Responsibilities and Considerations Cloud computing is the delivery of computing services over the Internet, and it offers many potential

More information

Contracting for Cloud Computing

Contracting for Cloud Computing Contracting for Cloud Computing Geofrey L Master Mayer Brown JSM Partner +852 2843 4320 geofrey.master@mayerbrownjsm.com April 5th 2011 Mayer Brown is a global legal services organization comprising legal

More information

Use & Disclosure of Protected Health Information by Business Associates

Use & Disclosure of Protected Health Information by Business Associates Applicability: Policy Title: Policy Number: Use & Disclosure of Protected Health Information by Business Associates PP-12 Superseded Policy(ies) or Entity Policy: N/A Date Established: January 31, 2003

More information

Isaac Willett April 5, 2011

Isaac Willett April 5, 2011 Current Options for EHR Implementation: Cloud or No Cloud? Regina Sharrow Isaac Willett April 5, 2011 Introduction Health Information Technology for Economic and Clinical Health Act ( HITECH (HITECH Act

More information

WHITE PAPER. How to choose and implement your cloud strategy

WHITE PAPER. How to choose and implement your cloud strategy WHITE PAPER How to choose and implement your cloud strategy INTRODUCTION Cloud computing has the potential to tip strategic advantage away from large established enterprises toward SMBs or startup companies.

More information

Secure Cloud Computing Concepts Supporting Big Data in Healthcare. Ryan D. Pehrson Director, Solutions & Architecture Integrated Data Storage, LLC

Secure Cloud Computing Concepts Supporting Big Data in Healthcare. Ryan D. Pehrson Director, Solutions & Architecture Integrated Data Storage, LLC Secure Cloud Computing Concepts Supporting Big Data in Healthcare Ryan D. Pehrson Director, Solutions & Architecture Integrated Data Storage, LLC Learning Objectives After this session, the learner should

More information

Wednesday, January 16, 2013

Wednesday, January 16, 2013 Attorney Advertising Prior results do not guarantee a similar outcome Models used are not clients but may be representative of clients 321 N. Clark Street, Suite 2800, Chicago, IL 60654 312.832.4500 Wednesday,

More information

Managing Cloud Computing Risk

Managing Cloud Computing Risk Managing Cloud Computing Risk Presented By: Dan Desko; Manager, Internal IT Audit & Risk Advisory Services Schneider Downs & Co. Inc. ddesko@schneiderdowns.com Learning Objectives Understand how to identify

More information

Leveraging Dedicated Servers and Dedicated Private Cloud for HIPAA Security and Compliance

Leveraging Dedicated Servers and Dedicated Private Cloud for HIPAA Security and Compliance ADVANCED INTERNET TECHNOLOGIES, INC. https://www.ait.com Leveraging Dedicated Servers and Dedicated Private Cloud for HIPAA Security and Compliance Table of Contents Introduction... 2 Encryption and Protection

More information

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Note: Information provided to NCRA by Melodi Gates, Associate with Patton Boggs, LLC Privacy and data protection

More information

What Is The Cloud And How Can Your Agency Use It. Tom Konop Mark Piontek Cathleen Christensen

What Is The Cloud And How Can Your Agency Use It. Tom Konop Mark Piontek Cathleen Christensen What Is The Cloud And How Can Your Agency Use It Tom Konop Mark Piontek Cathleen Christensen Video Computer Basics: What is the Cloud What is Cloud Computing Cloud Computing Basics The use of the word

More information

Insights into Cloud Computing

Insights into Cloud Computing This article was originally published in the November 2010 issue of the Intellectual Property & Technology Law Journal. ARTICLE Insights into Cloud Computing The basic point of cloud computing is to avoid

More information

University Healthcare Physicians Compliance and Privacy Policy

University Healthcare Physicians Compliance and Privacy Policy Page 1 of 11 POLICY University Healthcare Physicians (UHP) will enter into business associate agreements in compliance with the provisions of the Health Insurance Portability and Accountability Act of

More information

Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches

Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches Speakers Phillip Long CEO at Business Information Solutions Art Gross President & CEO of HIPAA

More information

EGUIDE BRIDGING THE GAP BETWEEN HEALTHCARE & HIPAA COMPLIANT CLOUD TECHNOLOGY

EGUIDE BRIDGING THE GAP BETWEEN HEALTHCARE & HIPAA COMPLIANT CLOUD TECHNOLOGY Bridging The Gap Between Healthcare & Hipaa Compliant Cloud Technology and outsource computing resources to external entities, would provide substantial relief to healthcare service providers. Data stored

More information

HIPAA OMNIBUS RULE: EXPANDED COMPLIANCE REQUIREMENTS

HIPAA OMNIBUS RULE: EXPANDED COMPLIANCE REQUIREMENTS HIPAA OMNIBUS RULE: EXPANDED COMPLIANCE REQUIREMENTS James J. Eischen, Jr., Esq. November 2013 San Diego, California JAMES J. EISCHEN, JR., ESQ. Partner at Higgs, Fletcher & Mack, LLP 26+ years of experience

More information

What Every User Needs To Know Before Moving To The Cloud. LawyerDoneDeal Corp.

What Every User Needs To Know Before Moving To The Cloud. LawyerDoneDeal Corp. What Every User Needs To Know Before Moving To The Cloud LawyerDoneDeal Corp. What Every User Needs To Know Before Moving To The Cloud 1 What is meant by Cloud Computing, or Going To The Cloud? A model

More information

Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC

Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC www.fmsinc.org 1 2015 Financial Managers Society, Inc. Cloud Security Implications

More information

Cloud Computing in the Federal Sector: What is it, what to worry about, and what to negotiate.

Cloud Computing in the Federal Sector: What is it, what to worry about, and what to negotiate. Cloud Computing in the Federal Sector: What is it, what to worry about, and what to negotiate. Presented by: Sabrina M. Segal, USITC, Counselor to the Inspector General, Sabrina.segal@usitc.gov Reference

More information

Welcome & Introductions

Welcome & Introductions Addressing Data Privacy and Security Compliance in Cloud Computing Benjamin Hayes, Director of Legal Services, Data Privacy Compliance North America Accenture Copyright 2011 Accenture All Rights Reserved.

More information

HIPAA Privacy & Security White Paper

HIPAA Privacy & Security White Paper HIPAA Privacy & Security White Paper Sabrina Patel, JD +1.718.683.6577 sabrina@captureproof.com Compliance TABLE OF CONTENTS Overview 2 Security Frameworks & Standards 3 Key Security & Privacy Elements

More information

Adding Cloud Solutions to Customer Contracts Robert J. Scott

Adding Cloud Solutions to Customer Contracts Robert J. Scott Adding Cloud Solutions to Customer Contracts Robert J. Scott MSP vs. Cloud Who owns the hardware? Where does the data reside? Dedicated vs. Multi tenant? Who contracts with 3 rd parties? How are services

More information

2011 Morrison & Foerster LLP All Rights Reserved mofo.com. Risk, Governance and Negotiation in the Cloud: Capture Benefits and Reduce Risks

2011 Morrison & Foerster LLP All Rights Reserved mofo.com. Risk, Governance and Negotiation in the Cloud: Capture Benefits and Reduce Risks 2011 Morrison & Foerster LLP All Rights Reserved mofo.com Risk, Governance and Negotiation in the Cloud: Capture Benefits and Reduce Risks 14 September 2011 Presenters Alistair Maughan Morrison & Foerster

More information

Daren Kinser Auditor, UCSD Jennifer McDonald Auditor, UCSD

Daren Kinser Auditor, UCSD Jennifer McDonald Auditor, UCSD Daren Kinser Auditor, UCSD Jennifer McDonald Auditor, UCSD Agenda Cloud Computing Technical Overview Cloud Related Applications Identified Risks Assessment Criteria Cloud Computing What Is It? National

More information

It s a New Regulatory Landscape: Do You Know Where Your Business Associates are and What They are Doing?

It s a New Regulatory Landscape: Do You Know Where Your Business Associates are and What They are Doing? It s a New Regulatory Landscape: Do You Know Where Your Business Associates are and What They are Doing? The AMC Privacy & Security Conference Series Securely Connecting Communities for Improved Health

More information

Title: Number: Responsible Office: Last Revision:

Title: Number: Responsible Office: Last Revision: Title: Number: Responsible Office: Last Revision: Cloud Computing: Opportunities Used Safely G4 004D Information Security and Privacy Office July 2011 The following guidance was developed and published

More information

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Business Associates 10230

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Business Associates 10230 IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Business Associates 10230 POLICY INFORMATION Major Functional Area (MFA): MFA X - Office of General Counsel & Compliance Policy Title:

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT THIS HIPAA BUSINESS ASSOCIATE AGREEMENT ( BAA ) is entered into effective the day of, 20 ( Effective Date ), by and between the Regents of the University of Michigan,

More information

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation Melissa J. Krasnow, Dorsey & Whitney LLP A Note discussing written information security programs (WISPs)

More information

HIPAA 101. March 18, 2015 Webinar

HIPAA 101. March 18, 2015 Webinar HIPAA 101 March 18, 2015 Webinar Agenda Acronyms to Know HIPAA Basics What is HIPAA and to whom does it apply? What is protected by HIPAA? Privacy Rule Security Rule HITECH Basics Breaches and Responses

More information

Business Associates, HITECH & the Omnibus HIPAA Final Rule

Business Associates, HITECH & the Omnibus HIPAA Final Rule Business Associates, HITECH & the Omnibus HIPAA Final Rule HIPAA Omnibus Final Rule Changes Business Associates Marissa Gordon-Nguyen, JD, MPH Health Information Privacy Specialist Office for Civil Rights/HHS

More information

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? Introduction This material is designed to answer some of the commonly asked questions by business associates and other organizations

More information

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd Lessons Learned from Recent HIPAA and Big Data Breaches Briar Andresen Katie Ilten Ann Ladd Recent health care breaches Breach reports to OCR as of February 2015 1,144 breaches involving 500 or more individual

More information

Legal Issues in the Cloud: A Case Study. Jason Epstein

Legal Issues in the Cloud: A Case Study. Jason Epstein Legal Issues in the Cloud: A Case Study Jason Epstein Outline Overview of Cloud Computing Service Models (SaaS, PaaS, IaaS) Deployment Models (Private, Community, Public, Hybrid) Adoption Different types

More information

Healthcare Compliance Solutions

Healthcare Compliance Solutions Healthcare Compliance Solutions Let Protected Trust be your Safe Harbor In the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), the U.S. Department of Health and Human

More information

OCR UPDATE Breach Notification Rule & Business Associates (BA)

OCR UPDATE Breach Notification Rule & Business Associates (BA) OCR UPDATE Breach Notification Rule & Business Associates (BA) Alicia Galan Supervisory Equal Opportunity Specialist March 7, 2014 HITECH OMNIBUS A Reminder of What s Included: Final Modifications of the

More information

New HIPAA regulations require action. Are you in compliance?

New HIPAA regulations require action. Are you in compliance? New HIPAA regulations require action. Are you in compliance? Mary Harrison, JD Tami Simon, JD May 22, 2013 Discussion topics Introduction Remembering the HIPAA Basics HIPAA Privacy Rules HIPAA Security

More information

CLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS. Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE. October 2, 2013

CLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS. Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE. October 2, 2013 CLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE October 2, 2013 By: Diane M. Gorrow Soule, Leslie, Kidder, Sayward & Loughman, P.L.L.C. 220 Main Street

More information

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT A Review List This paper was put together with Security in mind, ISO, and HIPAA, for guidance as you move into a cloud deployment Dr.

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( BAA ) is effective ( Effective Date ) by and between ( Covered Entity ) and Egnyte, Inc. ( Egnyte or Business Associate ). RECITALS

More information

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 What is HIPAA? Health Insurance Portability & Accountability Act of 1996 Effective April 13, 2003 Federal Law HIPAA Purpose:

More information

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style. Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style March 27, 2013 www.mcguirewoods.com Introductions Holly Carnell McGuireWoods LLP

More information

OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement

OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement Clinton Mikel The Health Law Partners, P.C. Alessandra Swanson U.S. Department of Health and Human Services - Office for Civil Rights Disclosure

More information

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010 New HIPAA Breach Notification Rule: Know Your Responsibilities Loudoun Medical Group Spring 2010 Health Information Technology for Economic and Clinical Health Act (HITECH) As part of the Recovery Act,

More information

FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS

FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS James J. Eischen, Jr., Esq. October 2013 Chicago, Illinois JAMES J. EISCHEN, JR., ESQ. Partner at Higgs, Fletcher

More information

HIPAA and HITECH Compliance Simplification. Sol Cates CSO @solcates scates@vormetric.com

HIPAA and HITECH Compliance Simplification. Sol Cates CSO @solcates scates@vormetric.com HIPAA and HITECH Compliance Simplification Sol Cates CSO @solcates scates@vormetric.com Quick Agenda Why comply? What does Compliance look like? New Cares vs Rental Cars vs Custom Cars Vormetric Q&A Slide

More information

Overview of the HIPAA Security Rule

Overview of the HIPAA Security Rule Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this

More information

Health Partners HIPAA Business Associate Agreement

Health Partners HIPAA Business Associate Agreement Health Partners HIPAA Business Associate Agreement This HIPAA Business Associate Agreement ( Agreement ) by and between Health Partners of Philadelphia, Inc., the Covered Entity (herein referred to as

More information

2014 HIMSS Analytics Cloud Survey

2014 HIMSS Analytics Cloud Survey 2014 HIMSS Analytics Cloud Survey June 2014 2 Introduction Cloud services have been touted as a viable approach to reduce operating expenses for healthcare organizations. Yet, engage in any conversation

More information

Cloud Computing. Introduction

Cloud Computing. Introduction Cloud Computing Introduction This information leaflet aims to advise organisations which are considering engaging cloud computing on the factors they should consider. It explains the relationship between

More information

Checklist for a Watertight Cloud Computing Contract

Checklist for a Watertight Cloud Computing Contract Checklist for a Watertight Cloud Computing Contract Companies of all industries are recognizing the need and benefit of moving some if not all of their IT infrastructure to a Cloud whether public or private.

More information

Creating Stable Security & Compliance Relationships

Creating Stable Security & Compliance Relationships Creating Stable Security & Compliance Relationships David Holtzman JD, CIPP/G VP, Compliance CynergisTek, Inc. James Wieland JD Principal Ober Kaler Welcome The slides for today s webinar are available

More information

Mobile App Developer Agreements

Mobile App Developer Agreements Mobile App Developer Agreements By Alan L. Friel Many companies that have had disputes with developers have been surprised to discover that the agreements signed, often without input from legal, failed

More information

Information Technology: This Year s Hot Issue - Cloud Computing

Information Technology: This Year s Hot Issue - Cloud Computing Information Technology: This Year s Hot Issue - Cloud Computing Presented by: Alan Sutin Global IP & Technology Practice Group GREENBERG TRAURIG, LLP ATTORNEYS AT LAW WWW.GTLAW.COM 2011. All rights reserved.

More information

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Table of Contents Understanding HIPAA Privacy and Security... 1 What

More information

OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR 2463. Court Reporters and HIPAA

OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR 2463. Court Reporters and HIPAA Court Reporters and HIPAA OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR 2463 1 What Exactly is HIPAA? HIPAA is an acronym for the Health Insurance Portability and Accountability Act

More information

HIPAA COMPLIANCE AND DATA PROTECTION. sales@eaglenetworks.it +39 030 201.08.25 Page 1

HIPAA COMPLIANCE AND DATA PROTECTION. sales@eaglenetworks.it +39 030 201.08.25 Page 1 HIPAA COMPLIANCE AND DATA PROTECTION sales@eaglenetworks.it +39 030 201.08.25 Page 1 CONTENTS Introduction..... 3 The HIPAA Security Rule... 4 The HIPAA Omnibus Rule... 6 HIPAA Compliance and EagleHeaps

More information

Anatomy of a Cloud Computing Data Breach

Anatomy of a Cloud Computing Data Breach Anatomy of a Cloud Computing Data Breach Sheryl Falk Mike Olive ACC Houston Chapter ITPEC Practice Group September 18, 2014 1 Agenda Ø Cloud 101 Welcome to Cloud Computing Ø Cloud Agreement Considerations

More information

Data Protection Act 1998. Guidance on the use of cloud computing

Data Protection Act 1998. Guidance on the use of cloud computing Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered

More information

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org 1 Disclaimers This presentation provides education on Cloud Computing and its security

More information

Faster, Smarter, More Secure: IT Services Geared for the Health Care Industry A White Paper by CMIT Solutions

Faster, Smarter, More Secure: IT Services Geared for the Health Care Industry A White Paper by CMIT Solutions Faster, Smarter, More Secure: IT Services Geared for the Health Care Industry A White Paper by CMIT Solutions Table of Contents Introduction... 3 1. Data Backup: The Most Critical Part of any IT Strategy...

More information

THE BEST PRACTICES FOR DATA SECURITY AND PRIVACY IN VENDOR/ CLIENT RELATIONSHIPS

THE BEST PRACTICES FOR DATA SECURITY AND PRIVACY IN VENDOR/ CLIENT RELATIONSHIPS THE BEST PRACTICES FOR DATA SECURITY AND PRIVACY IN VENDOR/ CLIENT RELATIONSHIPS Data Law Group, P.C. Kari Kelly Deborah Shinbein YOU CAN T OUTSOURCE COMPLIANCE! Various statutes and regulations govern

More information

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various

More information

Understanding the Legal Risks of Cloud Computing. Navigating the Network Security and Data Privacy Issues Associated with Cloud Services

Understanding the Legal Risks of Cloud Computing. Navigating the Network Security and Data Privacy Issues Associated with Cloud Services Understanding the Legal Risks of Cloud Computing Navigating the Network Security and Data Privacy Issues Associated with Cloud Services 2012 Thomson Reuters/Aspatore All rights reserved. Printed in the

More information

HIPAA Compliance: Are you prepared for the new regulatory changes?

HIPAA Compliance: Are you prepared for the new regulatory changes? HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed

More information

Healthcare Compliance Solutions

Healthcare Compliance Solutions Privacy Compliance Healthcare Compliance Solutions Trust and privacy are essential for building meaningful human relationships. Let Protected Trust be your Safe Harbor The U.S. Department of Health and

More information

Cloud Computing for SCADA

Cloud Computing for SCADA Cloud Computing for SCADA Moving all or part of SCADA applications to the cloud can cut costs significantly while dramatically increasing reliability and scalability. A White Paper from InduSoft Larry

More information

Am I a Business Associate? Do I want to be a Business Associate? What are my obligations?

Am I a Business Associate? Do I want to be a Business Associate? What are my obligations? Am I a Business Associate? Do I want to be a Business Associate? What are my obligations? Brought to you by Winston & Strawn s Health Care Practice Group 2013 Winston & Strawn LLP Today s elunch Presenters

More information

LEGAL ISSUES IN CLOUD COMPUTING

LEGAL ISSUES IN CLOUD COMPUTING LEGAL ISSUES IN CLOUD COMPUTING RITAMBHARA AGRAWAL INTELLIGERE 1 CLOUD COMPUTING Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing

More information

My Docs Online HIPAA Compliance

My Docs Online HIPAA Compliance My Docs Online HIPAA Compliance Updated 10/02/2013 Using My Docs Online in a HIPAA compliant fashion depends on following proper usage guidelines, which can vary based on a particular use, but have several

More information

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing HIPAA Omnibus Rule Practice Impact Kristen Heffernan MicroMD Director of Prod Mgt and Marketing 1 HIPAA Omnibus Rule Agenda History of the Rule HIPAA Stats Rule Overview Use of Personal Health Information

More information

Legal Challenges for U.S. Healthcare Adopters of Cloud Computing

Legal Challenges for U.S. Healthcare Adopters of Cloud Computing Legal Challenges for U.S. Healthcare Adopters of Cloud Computing by Kevin Erdman and Nigel Stark of Baker & Daniels LLP 1 ABSTRACT U.S. Healthcare companies have begun experimenting with taking business-critical

More information

Cloud Computing in a Government Context

Cloud Computing in a Government Context Cloud Computing in a Government Context Introduction There has been a lot of hype around cloud computing to the point where, according to Gartner, 1 it has become 'deafening'. However, it is important

More information

Cloud Computing; What is it, How long has it been here, and Where is it going?

Cloud Computing; What is it, How long has it been here, and Where is it going? Cloud Computing; What is it, How long has it been here, and Where is it going? David Losacco, CPA, CIA, CISA Principal January 10, 2013 Agenda The Cloud WHAT IS THE CLOUD? How long has it been here? Where

More information

Cloud Service Rollout. Chapter 9

Cloud Service Rollout. Chapter 9 Cloud Service Rollout Chapter 9 Cloud Service Topics Cloud service rollout plans vary depending on the type of cloud service SaaS, PaaS, or IaaS and the vendor. Unit Topics Identifying vendor roles and

More information

Incident Handling in the Cloud and Audit s Role

Incident Handling in the Cloud and Audit s Role Incident Handling in the Cloud and Audit s Role David Cole, CPA, CISA ISACA National Capital Area Chapter Cloud Computing Conference March 17, 2015 1 Outline Cloud Service Models Cloud Types Summary of

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) between Inphonite, LLC ( Business Associate and you, as our Customer ( Covered Entity ) (each individually, a Party, and collectively,

More information

See Appendix A for the complete definition which includes the five essential characteristics, three service models, and four deployment models.

See Appendix A for the complete definition which includes the five essential characteristics, three service models, and four deployment models. Cloud Strategy Information Systems and Technology Bruce Campbell What is the Cloud? From http://csrc.nist.gov/publications/nistpubs/800-145/sp800-145.pdf Cloud computing is a model for enabling ubiquitous,

More information

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER With technology everywhere we look, the technical safeguards required by HIPAA are extremely important in ensuring that our information

More information

Clinical Trials in the Cloud: A New Paradigm?

Clinical Trials in the Cloud: A New Paradigm? Marc Desgrousilliers CTO at Clinovo Clinical Trials in the Cloud: A New Paradigm? Marc Desgrousilliers CTO at Clinovo What is a Cloud? (1 of 3) "Cloud computing is a model for enabling convenient, on-demand

More information

Managing PHI in the Cloud Best Practices

Managing PHI in the Cloud Best Practices Managing PHI in the Cloud Best Practices Executive Whitepaper Recent advances in both Cloud services and Data Loss Prevention (DLP) technology have substantially improved the ability of healthcare organizations

More information

security in the cloud White Paper Series

security in the cloud White Paper Series security in the cloud White Paper Series 2 THE MOVE TO THE CLOUD Cloud computing is being rapidly embraced across all industries. Terms like software as a service (SaaS), infrastructure as a service (IaaS),

More information

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually

More information

Secure HIPAA Compliant Cloud Computing

Secure HIPAA Compliant Cloud Computing BUSINESS WHITE PAPER Secure HIPAA Compliant Cloud Computing Step-by-step guide for achieving HIPAA compliance and safeguarding your PHI in a cloud computing environment Step-by-Step Guide for Choosing

More information