1 The Challenges of Applying HIPAA to the Cloud Adam Greene, Partner Davis Wright Tremaine LLP
2 AGENDA Key Concepts Under HIPAA HIPAA Obligations for a BA Questions Remain Reaching Answers Resources
3 KEY CONCEPTS UNDER HIPAA Covered Entity: Health care provider who electronically conducts certain administrative transactions with health plans Health plan Health care clearinghouse
4 KEY CONCEPTS UNDER HIPAA Business Associate ( BA ): Person or entity who creates, receives, maintains, or transmits protected health information ( PHI ) on behalf of a covered entity or another business associate for a HIPAA-regulated activity No notice or business associate agreement is required to be a BA
5 KEY CONCEPTS UNDER HIPAA Protected Health Information Individually identifiable health information, including merely demographic information that is in a context that indicates an individual is/was a patient/enrollee of a health care provider or health plan.
6 CHANGE TO DEFINITION OF BA Business associate originally defined as person who uses or discloses individually identifiable health information Some cloud providers interpreted that they did not use or disclose the information or fell under conduit exception 1/25/13 HIPAA rule revised definition to include entity that maintains PHI BA compliance required by 9/23/13 Conduit exception limited to transmission services (with only incidental, temporary storage and random/infrequent access)
7 HIPAA OBLIGATIONS FOR A BA Limits on uses and disclosures of PHI May not use or disclose PHI other than as permitted or required by business associate agreement ( BAA ) Generally may not use or disclose PHI in manner that is impermissible for covered entity under HIPAA Exception for administration/mgmt of BA if permitted by BAA
8 HIPAA OBLIGATIONS FOR A BA Assist with Patient Privacy Rights Patient right of access to certain PHI Patient right of amendment of certain PHI Patient right to an accounting of disclosures
9 HIPAA OBLIGATIONS FOR A BA Must comply with the Security Rule Includes administrative, physical, and technical safeguards Requires documentation of policies, procedures, and basis for not implementing addressable specifications
10 HIPAA OBLIGATIONS FOR A BA Pass on BAA obligations to subcontractor BAs Limits on uses and disclosures must be at least as restrictive Must require subcontractor BA to comply with the Security Rule
11 HIPAA OBLIGATIONS FOR A BA Reporting obligations 1. Any impermissible use or disclosure (timing and content governed by BAA and state law) 2. Any security incidents (timing and content governed by BAA and state law) 3. Any breach of unsecured PHI (timing and content governed by HIPAA, BAA, and state law)
12 HIPAA OBLIGATIONS FOR A BA If business associate takes on covered entity s Privacy Rule compliance obligation, must comply with applicable requirements Must make internal records available to U.S. Dept. of Health and Human Services upon request
13 HIPAA OBLIGATIONS FOR A BA Must permit termination for breach of BAA Must return or destroy PHI if feasible; continue to protect PHI and limit use/disclosure if return or destruction infeasible
14 Questions Remain
16 If a cloud provider maintains only encrypted PHI and does not have a decryption key, then: A. It is a BA because it is maintaining PHI, even though the PHI is encrypted. B. It is not a BA because it does not have access to any PHI.
18 If a cloud provider contractually prohibits customers from storing PHI on its servers but a customer does so anyway, then: A. It is not a BA because it has no knowledge of maintaining PHI. B. It is a BA but has an affirmative defense to any penalties because of a lack of knowledge. C. It is a BA and is subject to millions in penalties if it has failed to comply with the Privacy, Security, and Breach Notification rules.
20 A colocation service maintains customers servers in locked cabinets in its data center. The customers servers include PHI. The colocation service: A. Is a BA because it maintains PHI on behalf of a covered entity. B. Is not a BA because it is analogous to a landlord, merely renting physical space to someone who maintains PHI.
21 Security incident is defined as including attempted or unsuccessful unauthorized access, use, disclosure, modification, or destruction of systems with electronic PHI. A covered entity must include in its BAA a requirement to report any security incidents.
23 If a cloud provider routinely experiences unsuccessful attempts to get past its security controls: A. It must log and report all unsuccessful attempts. B. It only must report non-routine attempts that pose a high risk. C. It may proactively report such unsuccessful attempts in its BAA. D. No reporting of such unsuccessful attempts is required.
24 OTHER REMAINING QUESTIONS Is a BA required to report impermissible use or disclosure of encrypted PHI? How can a BA provide access, amend, and account for disclosures of encrypted PHI when it does not have the encryption key? Does the health care entity, SaaS provider, and IaaS provider each have a separate obligation to encrypt and backup any electronic PHI? How does a SaaS reconcile a health care entity and an IaaS each requiring the use of their form BAAs, and such BAAs are inconsistent?
25 Reaching Answers
26 Non-profit trade association created to: Reduce obstacles to the health care sector leveraging cloud computing technology. Promote innovation by reducing health care compliance burdens on health care technology companies.
27 Objectives: 1. Understanding Create an accepted framework and tools for health care and cloud computing 2. Trust Build trust in cloud computing and regulatory compliance through an accepted accreditation/certification process or other programs. 3. Government Outreach Seek regulatory guidance from HHS and other relevant agencies. Maintain outreach and transparency with the government.
28 IMPROVING UNDERSTANDING Promote a common framework: Providing access to cloud services satisfies access and amendment requirements. Accounting of disclosures need not identify type of PHI disclosed if unknown to cloud provider. Reporting requirements do not encompass encrypted PHI or routine unsuccessful security incidents. Identify cloud configurations that are appropriate for electronic PHI (e.g., dedicated instance).
29 IMPROVING UNDERSTANDING Create helpful tools: Self-audit tool for SaaS, PaaS, and IaaS providers maintaining ephi Model notice for cloud provider to notify customer of how privacy and security responsibilities are delegated Model BAA provisions specific to cloud computing providers
30 BUILDING TRUST Work with other stakeholders (e.g., CSA, HIMSS) to identify and promote common means of demonstrating HIPAA compliance and good privacy and security: Identify what existing programs (e.g., SSAE 16 SOC 2, CSA STAR, FedRamp, etc.) best address health care and cloud issues Ensure scalability to allow innovation among small SaaS companies Promote common security questionnaires
31 GOVERNMENT OUTREACH Maintain transparency with government stakeholders such as HHS Office for Civil Rights, Office of the National Coordination for Health IT Seek clarification on ambiguities Consider seeking statutory fixes (e.g., affirmative defense for BAs who had no notice of PHI)
32 RESOURCES HIPAA regulations at HIPAA Omnibus Rule at /pdf/ pdf (pp discuss data storage companies) HHS Office for Civil Rights at CSA Health Info. Mgmt. at https://cloudsecurityalliance.org/research/him/ HIMSS Cloud Security Toolkit at HIMSS Cloud Analytics Survey at
INTRODUCTION This guidance is composed of a series of fact sheets that clarify how the HIPAA Privacy Rule applies to, and can be used to help structure the privacy policies behind, electronic health information
Vol. 78 Friday, No. 17 January 25, 2013 Part II Department of Health and Human Services Office of the Secretary 45 CFR Parts 160 and 164 Modifications to the HIPAA Privacy, Security, Enforcement, and Breach
Privacy Level Agreement Working Group Privacy Level Agreement Outline for the Sale of Cloud Services in the European Union February 2013 The PLA Outline has been developed within CSA by an expert working
PARTICIPATION AGREEMENT For ELECTRONIC HEALTH RECORD TECHNICAL ASSISTANCE THIS AGREEMENT, effective, 2011, is between ( Provider Organization ), on behalf of itself and its participating providers ( Providers
AskAvanade: Answering the Burning Questions around Cloud Computing There is a great deal of interest in better leveraging the benefits of cloud computing. While there is a lot of excitement about the cloud,
Cloud Computing This information leaflet aims to advise organisations on the factors they should take into account in considering engaging cloud computing. It explains the relevance of the Personal Data
OCR PRIVACY BRIEF SUMMARY OF THE HIPAA PRIVACY RULE HIPAA Compliance Assistance SUMMARY OF THE HIPAA PRIVACY RULE Contents Introduction... 1 Statutory & Regulatory Background... 1 Who is Covered by the
Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015 The following comprises a checklist of areas that genomic research organizations or consortia (collectively referred
U.S. Department of Health and Human Services U.S. Department of Education Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) And the Health Insurance Portability
Montclair State University HIPAA Security Policy Effective: June 25, 2015 HIPAA Security Policy and Procedures Montclair State University is a hybrid entity and has designated Healthcare Components that
Cloud Computing Introduction This information leaflet aims to advise organisations which are considering engaging cloud computing on the factors they should consider. It explains the relationship between
Internet2 Health Network Initiative Security Group Co-Chairs Bob Meeker Sean Lynch Internet2 Program Office Department of Veterans Affairs 1. Federal Security Regulations in RHCPP Partnerships Presentation
Privacy and Security of Electronic Health Information Version 2.0 April 2015 The information contained in this Guide is not intended to serve as legal advice nor should it substitute for legal counsel.
HIPAA Security Procedures Resource Manual The following security policies and procedures have been developed by North Dakota State University (NDSU) for its internal use only in its role as a hybrid entity
This article was originally published in the November 2010 issue of the Intellectual Property & Technology Law Journal. ARTICLE Insights into Cloud Computing The basic point of cloud computing is to avoid
OCR/HHS HIPAA/HITECH Audit Preparation 1 Who are we EHR 2.0 Mission: To assist healthcare organizations develop and implement practices to secure IT systems and comply with HIPAA/HITECH regulations. Education
AHLA JJ. Keeping Your Cloud Services Provider from Raining on Your Parade Jean Hess Manager HORNE LLP Ridgeland, MS Melissa Markey Hall Render Killian Heath & Lyman PC Troy, MI Physicians and Hospitals
Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered
for the Stakeholder Engagement Initiative: December 10, 2009 Contact Point Christine Campigotto Private Sector Office Policy 202-612-1623 Reviewing Official Mary Ellen Callahan Chief Privacy Officer Department
ARTICLE 29 DATA PROTECTION WORKING PARTY 01037/12/EN WP 196 Opinion 05/2012 on Cloud Computing Adopted July 1 st 2012 This Working Party was set up under Article 29 of Directive 95/46/EC. It is an independent
Recommendations for companies planning to use Cloud computing services From a legal standpoint, CNIL finds that Cloud computing raises a number of difficulties with regard to compliance with the legislation
GPO Box 2343 Adelaide SA 5001 Tel (+61 8) 8204 8773 Fax (+61 8) 8204 8777 DX:336 firstname.lastname@example.org www.archives.sa.gov.au Cloud Computing and Records Management June 2015 Version 1 Version
Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Please insert supplier details below Supplier name Address Isuz Ltd. trading as Schoolcomms
After Hours Triage Answering Services (AHTAS) RFP 15-573757-MW Date Issued: July 30, 2015 *QUESTION DUE DATE: August 4, 2015 Buyer Contact: Michael Wegmann *SUBMITTAL DUE DATE: August 13, 2015 Tel # (916)