Cloud Computing in Healthcare: HIPAA and State Law Challenges Navigating Privacy and Security Risks

Transcription

1 Presenting a live 90-minute webinar with interactive Q&A Cloud Computing in Healthcare: HIPAA and State Law Challenges Navigating Privacy and Security Risks WEDNESDAY, JUNE 12, pm Eastern 12pm Central 11am Mountain 10am Pacific Today s faculty features: Matthew A. Karlyn, Partner, Cooley, Boston Andrew Gantt, Partner, Cooley, Washington, D.C. The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions ed to registrants for additional information. If you have any questions, please contact Customer Service at ext. 10.

2 Sound Quality If you are listening via your computer speakers, please note that the quality of your sound will vary depending on the speed and quality of your internet connection. If the sound quality is not satisfactory and you are listening via your computer speakers, you may listen via the phone: dial and enter your PIN when prompted. Otherwise, please send us a chat or sound@straffordpub.com immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance. Viewing Quality To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.

3 FOR LIVE EVENT ONLY For CLE purposes, please let us know how many people are listening at your location by completing each of the following steps: In the chat box, type (1) your company name and (2) the number of attendees at your location Click the SEND button beside the box

4 If you have not printed the conference materials for this program, please complete the following steps: Click on the + sign next to Conference Materials in the middle of the lefthand column on your screen. Click on the tab labeled Handouts that appears, and there you will see a PDF of the slides for today's program. Double click on the PDF and a separate page will open. Print the slides by clicking on the printer icon.

5 Privacy and Security Issues for Cloud Computing in Healthcare Matthew A. Karlyn Partner Cooley LLP (617) Andrew Gantt Partner Cooley LLP (202) June 12, 2013 attorney advertisement 2013 Cooley LLP Five Palo Alto Square, 3000 El Camino Real, Palo Alto, CA The content of this packet is an introduction to Cooley LLP s capabilities and is not intended, by itself, to provide legal advice or create an attorney-client relationship. Prior results do not guarantee future outcome.

6 6 Health IT s Migration to the Cloud Current Use 30 percent of health care organizations report using cloud technology for clinical and non-clinical applications, according to a CDW tracking poll. Electronic Health Records (EHR) Radiology images Telemedicine Patient management Revenue cycle management and/or patient billings and claims management

7 7 Health IT s Migration to the Cloud Projected Use 71 percent of health care organizations are either deploying or plan to deploy cloud technology, according to a survey by KLAS Research Worldwide cloud services revenue is projected to reach $148.8 billion in 2014, according to a Gartner study

8 8 Definitions of Cloud Computing Characteristics Delivery over the Internet (i.e., the cloud ) Software, platform or infrastructure resources provided as services Scalability on-demand Utility and/or subscription billing (i.e., based on the Customer s actual use and/or a period of time)

9 9 Types of Cloud Computing Services Software-as-a-Service (SaaS) refers to the Provider s software being delivered over the cloud to the Customer as a service (e.g., electronic health record systems) Platform-as-a-Service (PaaS) refers to the Provider's software development platforms being delivered over the cloud to the Customer as a service (e.g., interface development) Infrastructure-as-a-Service (IaaS) refers to virtual servers, memory, processors, storage, network bandwidth, and other types of infrastructure resources, delivered over the cloud to the Customer as a service (e.g., data hosting)

10 10 Models of Cloud Deployment Public Clouds Owned and operated by a cloud provider Private Clouds Computing environment operated exclusively for one organization Community Clouds Computing environment exclusive to 2+ organizations with similar considerations Hybrid Clouds Composition of 2 or more clouds

11 11 Benefits of Cloud Technology Reduction in Capital Costs Enhanced Computing Power Greater Flexibility Lower Upfront Risks and Complexity Availability of In-house Expertise

12 12 That all sounds great BUT There are risks What are the privacy and security risks that health care organizations evaluating cloud computing solutions should consider?

13 Compliance Risks Privacy and Security 13 Evaluation of risk involves consideration of the data sensitivity and criticality of the services, and heightened compliance risks associated with cloud computing Individually identifiable health information is high-risk data and is often part of critical business processes being supported by the cloud computing solution Solutions must be carefully evaluated to ensure the benefits outweigh the risks; ensure compliance and contractual protections and operational precautions are taken

14 HIPAA, HITECH and State Law 14 HIPAA, as amended by the HITECH Act, requires health plans, health care clearinghouses, and covered health care providers (Covered Entities) to safeguard protected health information (PHI) HITECH Act made Business Associates (BA) of Covered Entities directly regulated by HIPAA Comparable state laws exist and HIPAA does not preempt more stringent state law requirements Responsibility for compliance cannot be delegated to cloud provider

15 15 HIPAA and the Cloud: Changes Under HIPAA Omnibus Rule BA must comply with the technical, administrative, and physical safeguard requirements under the Security Rule; liable for Security Rule violations BA must comply with use or disclosure limitations expressed in its contract and those in the Privacy Rule; criminal and civil liabilities attach for violations BA definition expressly includes Health Information Organizations, E-prescribing Gateways, and PHR vendors that provide services to covered entities Subcontractors of a BA are now defined as a BA; clarifying that BA liability flows to all subcontractors

16 16 HIPAA and the Cloud: Changes Under HIPAA Omnibus Rule the Cloud: Changes Under HIPAA Omnibus Rule Rule estimates impact on 250, ,000 BAs at cost of $21M- $42M (only $84 per BA!) Rule reflects new, post-hitech reality that business associates (BA) are directly regulated by OCR BAs and subcontractors can only use and disclose PHI as permitted by BAA or required by law terms of BAA remain critical Definition of BA includes: Entities that transmit and need routine access to PHI (e.g., Health Information Organization, E-Prescribing Gateway); PHR vendors who serve CEs; and Subcontractors who create, receive, maintain or transmit PHI for BA

17 17 HIPAA and the Cloud: Conduit Exception Limited Conduit Exception Conduit exception is limited to transmission services (whether digital or hard copy), including any temporary storage of transmitted data incident to such transmission However, an entity that maintains PHI on behalf of a CE (e.g., document storage company) is a BA and not a conduit, even if the entity does not actually view the PHI Transient versus persistent nature of opportunity to view data is relevant Random or infrequent access to PHI standard still applies, but is interpreted more narrowly More guidance expected on conduits

18 18 HIPAA and the Cloud: Transition Provisions Business Associate Agreement Transition Provisions Rule is effective March 26, 2013; compliance due within 180 days If prior to January 25, 2013, a CE (or BA with respect to a subcontractor) has entered into and is operating pursuant to a BAA with the BA (or subcontractor, as applicable) that complies with the applicable provisions of (a) or (e) that were in effect on such date, and the BAA is not renewed or modified from March 26, 2013 until September 23, 2013, it shall be deemed compliant until the earlier of: The date such contract or other arrangement is renewed or modified on or after September 23, 2013; or September 22, 2014 Similar transition provision exists for data use agreements

19 19 HIPAA and the Cloud: Breach Standard The interim final regulation said statute incorporated a risk of harm threshold notice was required where there is a significant risk of financial, reputational or other harm. Covered entities have been reporting breaches under this standard for two years

20 20 HIPAA and the Cloud: Breach Standard Omnibus Rule modified the presumption for breach reporting - notification is required to affected individuals unless the covered entity demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment. Instead of the risk of harm standard, a risk assessment required to determine if there is low probability of a compromise of the PHI. If risk assessment reveals low probability of compromise, notification is not required. Covered entity can provide notice without a risk assessment.

21 21 HIPAA and the Cloud: Breach Standard The nature and extent of the protected health information involved, including types of identifiers and likelihood of re-identification; The unauthorized person who used the protected health information or to whom the disclosure was made; Whether the protected health information was actually acquired or viewed; and The extent to which the risk to the protected health information has been mitigated.

22 Evaluating the Risk of Cloud Computing 22 Compliance with State Security Laws Some states also mandate security controls for Personal Information (which might be defined to include health information) or Electronic Health Records Compliance with Data Breach Reporting Laws Forty-seven states have breach-reporting laws Some apply to health information; others to social security and financial account information Organizations may Need to Comply with Federal and State Laws, if State Law is More Stringent

23 Evaluating the Risk of Cloud Computing (cont d) 23 Liability Privacy and security requirements Civil penalties Private causes of action Data breaches ANSI developed formula to estimate financial impact of breach Estimated a $26.5 million financial impact for breach of 845,000 medical records

24 24 Evaluating the Risk of Cloud Computing (cont d) Data Security Internet-facing services Risks associated with services being delivered over internet, e.g., increased risk of web browser attacks Multi-tenancy environment Risks associated with data being stored on a server with other customer s data, e.g., increased risk of unauthorized disclosure System complexity Risks associated with interaction of multiple services, e.g., having a greater attack surface

25 Evaluating the Risk of Cloud Computing (cont d) 25 Contractual Relationships with Downstream Vendors Accountability for the privacy of health information cannot simply be delegated to a cloud provider HITECH Holds Business Associates Responsible for Civil Penalties (42 U.S.C (b)), but Notification costs, mitigation of harm, damages must be addressed contractually State law/federal Trade Commission may differ with respect to the responsibility of organizations for the actions of their subcontractors

26 26 Part 3 Speaking of Contracts Cloud computing agreements have some similarity to licensing agreements, but have more in common with hosting or ASP agreements

27 27 Licensing vs. the Cloud Traditional Licensing/Hardware Purchase Vendor installs the software or equipment in the Customer s environment Customer has ability to have the software or hardware configured to meet its needs Customer retains control of the data In the Cloud Software, hardware and Customer data are hosted by the Provider typically in a shared environment (e.g., many customers per server) Software and hardware configuration much more homogeneous across all customers

28 28 Licensing vs. the Cloud (cont d) Shift of Top Priorities From configuration, implementation and acceptance (in the licensing world) to service availability, performance, service levels, data security and control (in the cloud) Traditional Provisions Retain Importance In particular, insurance, indemnity, intellectual property, limitations of liability, warranties

29 Cloud Customers Must Make Important Decisions 29 There are no standard forms that work for every customer, for every product, in every deal Some commonly used outsourcing and software licensing terms may be useful, but cannot be uniformly applied to cloud computing transactions More robust contractual protection and provisions that address issues unique to the cloud are likely needed For the low risk deals, a low risk solution may outweigh the need for contractual protections For high risk deals, better to take a closer look and include the provisions that will protect your company Note that robust contractual protections may have an impact on price and eliminate certain providers altogether

30 The Focus of Cloud Computing Transactions 30 Focus Should be on: The criticality of the software, data and services to the enterprise The unique issues presented by a cloud computing environment The service levels and pricing offered by different suppliers and for different services Outsourcing agreements and traditional licensing agreements are a good starting point, but not a good ending point

31 31 Part 4 Key Contractual Issues in Cloud Computing Pre-Agreement Due Diligence Service Availability Service Levels Data Security Insurance Indemnification Limitation of Liability Warranties Term Fees

32 32 Pre-Agreement Due Diligence Can the Provider Meet your Organization s Expectations? Require Provider to complete a due diligence questionnaire, with particular attention to: Provider s financial condition and corporate responsibility Location of the data, including disaster recovery facilities Provider s use of subcontractors and contractual relationships Provider s security infrastructure and policies and procedures

33 33 Service Availability If the Provider stops delivering services, the Customer will have no access to the services (which may be supporting a critical business function), and perhaps more importantly, no access to the Customer s data stored on the Provider s systems Customer must be able to continue to operate and have access to its data at all times

34 Service Availability (cont d) 34 What Do You Need? If Provider is maintaining Protected Health Information (PHI), a disaster recovery plan and an emergency mode operation plan Application of the terms of the agreement to the Provider s disaster recovery site Provider s agreement not to withhold services (even if there is a dispute)

35 Service Availability (cont d) 35 Protections Against Provider s Financial Instability Enable Customer to identify issues in advance Quarterly reporting to allow Customer to assess the overall strength and financial viability of Provider Ability to terminate the Agreement if the Customer concludes the Provider does not have the financial wherewithal to fully perform as required In-house software solution: consider requiring the Provider to make available or develop an in-house solution to replacing software services if it stops providing those services

36 36 Service Levels Uptime Service Level Services must be available to Customer at all times to support operations Outage window Measurement period Remedies Require Provider to monitor servers by automatic pinging Unavailability should include severe performance degradation Service Response Time

37 Service Levels (cont d) 37 Uptime Terms Require Provider to make services available continuously as measured over the course of each calendar month, an average of 99 percent of the time Excluding unavailability as a result of defined Exceptions Unavailability due to Customer s acts or omissions Customer s internet connectivity

38 Service Levels (cont d) 38 Response Time Maximum latencies and response times for the Customer s use of the Services Average download time for each page of the Services, Within the lesser of (i) 0.5 seconds of the weekly Keynote Business 40 Internet Performance Index ( KB40 ) or (ii) two (2) seconds Provide for successor index if KB40 is discontinued

39 Service Levels (cont d) 39 Other Common Service-level Issues that Customers Should Address Simultaneous visitors Problem response time and resolution time Data return and periodic delivery Remedies for failure to meet service levels Should include financial penalties and termination

40 Service Levels (cont d) 40 Why Are They So Important? Assure the Customer that it can rely on the services and provide appropriate remedies if the Provider fails to meet the agreed service levels Provide incentives that encourage the Provider to be diligent in addressing issues

41 41 Data Security Business Associate Agreements (BAA) Required with Provider, if it hosts data or software containing PHI on its own server, or furnishes software and accesses PHI, even if only for troubleshooting software function (OCR, FAQ, available at /business_associates/256.html) If BAA provisions are incorporated in End User License Agreements (e.g., with EHR software vendors) Should analyze whether EULA is valid under State law Likely to contain standard provisions favorable to Business Associate

42 42 Data Security (cont d) Business Associate Agreements BAA (or contract) should address the Provider s policies and procedures related to: Security policies unique to cloud Subcontracting arrangements Location of data Breach notification Data ownership and use rights Data redundancy E-discovery Data conversion/data return

43 43 Data Security (cont d) Business Associate Agreements HITECH Act requires appropriate administrative, physical, and technical safeguards, but does not address specific security risks associated with cloud computing environment (42 U.S.C ) BAA should address policies that comply with the HITECH Act security requirements and policies to address cloud-specific risks

44 Business Associate Agreements 44 Security Provisions Agree to provide third party audit to verify compliance Allow Covered Entity access to facilities to determine HIPAA compliance Define Customer s vs. Provider s responsibilities for security Ensure security policy adequately addresses cloudspecific risks Technical risks Workforce access Review of audit trails

45 45 Data Security (cont d) Subcontracting Arrangements HIPAA compliance if PHI is involved (45 C.F.R (e)(ii)(D)) BAA must ensure that any subcontractors to which the Business Associate provides PHI agree in writing to the same restrictions and conditions that apply to the Business Associate in its agreement with the Covered Entity

46 46 Data Security (cont d) Subcontracting Arrangements Data hosting - Who is operating the data center the Provider or a third party? Ensure third party host complies with key terms of agreement with Provider Cloud Provider should be jointly and severally liable with the third party host for any breach of the agreement by the third party host Advance notice of any change of the host Consider entering a separate confidentiality agreement with the third party host

47 47 Data Security (cont d) Location of Data May determine the jurisdiction and the governing law Overseas data may present practical difficulties Other state laws may impose additional compliance requirements Should consider inclusion of prohibition on off-shore work and restrictions on data transfer without prior written consent of Customer

48 48 Data Security (cont d) Breach Notification Provisions BAA should establish: The procedures and timeframe for reporting a breach to the Customer The procedures and role of the parties with respect to investigation of the breach and notification of individuals Liability of the Provider If subject to HIPAA, must comply with 45 C.F.R. 164 Subpart D

49 49 Data Security (cont d) Breach Notification Provisions Customer should have sole control over the timing, content, and method of notification (if it is required) If the Provider is responsible for the breach, then the Provider should reimburse the Customer for its reasonable out-of-pocket expenses in providing the notification, mitigating the harm, and otherwise complying with the law Indemnification is key issue, subject to negotiation between the parties

50 50 Data Security (cont d) Data Ownership and Use Rights Agreement should contain: Clear language regarding Customer s ownership of data Specific language (i) regarding the Provider s obligations to maintain the confidentiality of such information and (ii) placing appropriate limitations on the Provider s use of such Customer information Strict limitations on Provider s use of data in aggregated and/or de-identified form Use of aggregate data must be for health care operations purpose permissible under HIPAA May require indemnification in event that PHI is not properly de-identified

51 51 Data Security (cont d) Data Redundancy Agreement should contain explicit provisions regarding: Provider s duty for regular backups and frequency of backups Replication of Customer database at off-site location Number of backups to be saved Method for Customer to retrieve the database backups

52 52 Data Security (cont d) E-discovery Agreement should require Provider to retain meta-data Data Conversion/Return of Data Should ensure that the Customer is not locked in to the Provider s solution and Provider can return or destroy data at termination of agreement Establish format for return of data at no cost to Customer Require Provider to completely destroy or erase all other copies of the Customer Information Require certification of destruction of data

53 53 Insurance Customer should self-insure against IT risks by obtaining a cyber-liability policy Provider should be required to carry: Technology errors and omissions liability insurance Commercial blanket bond, using Electronic & Computer Crime or Unauthorized Computer Access insurance Most data privacy and security laws will hold the Customer liable for security breaches whether it was the Customer s fault or the Provider s fault

54 54 Indemnification Third party claims relating to the Provider s breach of its confidentiality and security obligations, as well as claims relating to infringement of third party intellectual property rights Limitation to copyright is not acceptable Limitation to US IP rights may be acceptable, but consider whether use of the services will occur overseas

55 55 Limitation of Liability Scrutinize limitation of liability provisions carefully If you cannot eliminate the limitation of liability in its entirety, seek the following protections: Mutual protection Appropriate carve-outs (e.g., confidentiality, data security, indemnity) A reasonable liability cap for direct damages

56 56 Warranties The following warranties are common in these types of agreements: Conformance to specifications Performance of services Appropriate training Compliance with laws No sharing / disclosure of data Services will not infringe No viruses / destructive programs No pending or threatened litigation Sufficient authority to enter into agreement

57 57 Fees Ability to add and remove resources with a corresponding upward or downward adjustment in the service fees Identify all potential revenue streams and make sure that the identified fees are inclusive of such revenue streams Lock in recurring fees for a period of time (one to three years) and thereafter an escalator based on CPI or another index

58 58 Term The Customer should be able to terminate the agreement at any time upon notice (14 to 30 days) and without penalty The software and infrastructure are being provided as a service and should be treated as such The Provider may request a minimum commitment from the Customer to recoup the Provider s investment in securing the Customer as a customer If you agree to this, limit to no more than one year and the Provider should be required to provide evidence of its up front costs to justify such a requirement Under HIPAA, Covered Entities must be authorized to terminate the agreement upon knowledge of a material breach (45 C.F.R (e)(2)(iii).)

59 59 Negotiation Leverage is important you may not be able to obtain all of the protections you want Evaluate the business risks Do the services support a critical business function? Do the services involve sensitive data? Are the services customer facing?

60 60 Negotiation (cont d) If you cannot get the protections you want in the most significant areas of risk, consider walking away If walking away is not an acceptable option, focus on risk mitigation For example, if the Provider refuses to modify its uptime service level (arguing that it cannot separately administer an uptime warranty for different customers) focus on improved remedies and exit rights for failure to meet the service level

61 Part 5 -- Additional Issues to Consider 61 Lack of transparency and control IP issues Change management and governance/ oversight Exclusivity Post-execution monitoring

62 62 QUESTIONS? Matt Karlyn Partner Cooley LLP 500 Boylston Street Boston, MA (617) Andrew Gantt Partner Cooley LLP 1299 Pennsylvania Avenue, NW, Suite 700 Washington, DC (202)