Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015

Transcription

1 Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015 Katherine M. Layman Cozen O Connor 1900 Market Street Philadelphia, PA (215) [email protected]

2 H I P A Health Insurance Portability Accountability A Act of 1996 HIPAA Issues Adopted consumer privacy protections and safeguards for security of protected health information ( PHI ) through detailed rule making. 2

3 H I Health Information HITECH T Technology E Economic C Clinical H Health Act 2009 Amended HIPAA Breach notification Business associates subject to HIPAA Strengthened enforcement tools and fines Omnibus regulation: generally effective Sept

4 Who Is Subject To HIPAA Covered Entities Providers Insurers and health plans Health care clearinghouses Business Associates: Entity that performs services for (e.g., lawyers, accountants) or on behalf of (e.g., cloud provider, data storage company) a CE Includes subcontractors Relationship of CE and BA is key Agency 4

5 Enforcement Office of Civil Rights of HHS $7.5M in settlements in 2014 Large and small CEs; also BAs in 2015 Most result from reported breaches Onerous Corrective Active Plans Risk Assessments are key Encryption: de facto now a requirement FTC: Scope of jurisdiction being tested 2015 OIG Work Plan Will audit CEs receiving EHR incentive payments and their BAs 5

6 State Laws Breach Notification is required for breach of personal information (PI) PI generally includes name plus SSN, credit card number, or drivers license number Essence is identity theft 47 states have breach notification laws (not SD, AL, NM) Federal Law likely to be enacted Data Protection CA, CT, MD, MA, and OR mandate some kind of comprehensive security program Extending this requirement to downstream service providers 6

7 Security Standards: HIPAA Sets national standards for protecting PHI held or transferred in electronic form: physical, administrative and technical safeguards CE must: Ensure confidentiality, integrity and availability of e-phi it creates, receives, maintains or stores Identify and protect against reasonably anticipated threats Protect against reasonably anticipated impermissible uses or disclosures Ensure workforce compliance Scalability 7

8 Security Standards for Cloud Computing: CMS CMS/CISO Memorandum 14-02: CMS Cloud Computing and Federal Risk and Authorization Management Program Guidance (July 10, 2014) Explains Federal Risk and Authorization Management Program (FED RAMP) to CMS components Provides contract language Incorporates HIPAA requirements where applicable 8

9 Strategies for Dealing with Cloud Don t use Cloud Large entities may prefer to control PHI and have resources to do so (fewer companies taking this route) Use Private Cloud exclusive use Outsourcing Contract 9

10 Strategies for Dealing with Due diligence Cloud (Cont. d) Has a third party assessment been done? Check for frequency of risk analyses and detail about most recent risk analysis Check details of controls (e.g., encryption; who has key) Health Care Cloud Coalition (HC3) Security Assessment Tool BAAs 10

11 Contracting Issues Cloud providers of CEs should be considered BAs OCR has sent mixed messages about this issue, but best practice is to treat a cloud provider as a BA Will CE be liable for HIPAA violations of BA? CE is responsible for its own HIPAA compliance Agency is key No guarantees that a BA is not an agent Terms of BAA are non-negotiable; BA must agree to CE terms or not do business 11

12 Contracting Issues (Cont. d) Better off signing a BAA as it gives CE control over terms Does state law preempt HIPAA? Ex: MN & CA Highly confidential information (e.g. mental health) Where is data stored? Is any data stored off shore/internationally? What if entity storing information on cloud is not a CE? 12

13 Outsourcing Contract Provisions Security Requirements Oversight and audits re: HIPAA Protocol dealing with issues like encryption, firewalls, etc. Data Ownership Use of data: acceptable use Access and control of data Including possible access by other contractors of CE 13

14 Outsourcing Contract Provisions Indemnification re: HIPAA (Cont. d) Limitations of liability Vendor warranties Incorporate BAA SLA: cloud service, performance standards, services terms for provided services 14

15 Key BAA Provisions Vendor/BA to comply with HIPAA Breach notification Who pays Time frame for notification Consumer protection provisions When BA does not know where the PHI is Indemnification Agency 15

16 Katherine Layman, Esquire Cozen O Connor 1900 Market Street Philadelphia, PA (215) [email protected]