[BreachExchange] New HHS Guidance Makes Clear HIPAA Applies in the Cloud
Inga Goddijn
inga at riskbasedsecurity.com
Wed Oct 26 19:12:23 EDT 2016
http://www.hldataprotection.com/2016/10/articles/health-privacy-hipaa/new-hhs-guidance-makes-clear-hipaa-applies-in-the-cloud/
Cloud service providers are on notice: you are HIPAA business associates,
even if you are unable to access the HIPAA protected information in your
cloud. The Department of Health and Human Services (HHS) Office for Civil
Rights (OCR) released guidance making clear that cloud service providers
(CSPs) that create, receive, maintain, or transmit electronic protected
health information (PHI) are covered by HIPAA.
The guidance is notable for its broad scope. Whether a CSP offers a simple
cloud storage solution or a complex interactive application for managing
electronic medical records, it should consider whether its business
maintains PHI. If it does, it will need to enter into business associate
agreements (BAAs) and implement an effective HIPAA compliance program.
Likewise, HIPAA covered entities (CEs) must determine whether the services
provided to them by CSPs give rise to HIPAA obligations. OCR’s latest
guidance clarifies how and when HIPAA applies in the cloud service context.
*Cloud Service Providers are Business Associates*
- *HIPAA rules apply even if a CSP cannot access the PHI that it stores.*
HIPAA applies even if the CSP has no access to the ePHI it holds. These
“no-view services,” in which a CSP stores encrypted information on behalf
of a covered entity or business associate and does not have the encryption
key, trigger the need for a BAA. Even where the data owner is the sole
party with access to the information, CSPs are not exempt from their HIPAA
obligations as a business associate. The HIPAA obligations are scalable
and may be shared with customers.
- *The conduit exception does not apply.* The guidance emphasizes that
CSPs typically do not qualify for the HIPAA “conduit exception.” That
exception applies only to entities providing transmission services, and a
CSP that stores PHI, even if a “no-view service,” would not be considered a
conduit.
- *Mobile devices are within scope.* CSPs providing services that
function with mobile devices such as phones or tablets are covered. BAAs
must be in place with any CSPs that are storing or will have access to the
PHI. OCR previously released separate guidance
<http://www.hldataprotection.com/2016/02/articles/health-privacy-hipaa/ocr-releases-mhealth-guidance-for-app-developers/>
on using and securing PHI on mobile devices that complements the cloud
computing guidance.
*Key HIPAA Compliance Obligations for Cloud Service Providers*
CSPs will need to enter into BAAs and comply with the HIPAA Security rule
and parts of the HIPAA privacy regulations. Key compliance obligations
include:
- report any security incidents or breaches of unsecured PHI of which
they become aware to their customers, with limited exception;
- return or destroy any PHI in their possession at the end of the
effective term of a BAA, where feasible; and
- consistent with the governing BAA, make PHI available as necessary for
the CE to meet its obligations to provide individuals with their rights to
access, amend, and receive an accounting of disclosures of PHI.
If a CSP does not know that a customer is storing PHI in its cloud, an
affirmative defense to allegations of a HIPAA violation is available,
provided that the CSP takes corrective action essentially at the time that
it knows or should know that it is storing the PHI.
*HIPAA Obligations in the Cloud Environment Can Vary and Should be
Addressed in Contracts*
- CSPs storing PHI should execute business associate contracts with
customers. Note, however, that even if a BAA is not in place, CSPs storing
PHI are required to comply with all applicable provisions of the HIPAA
rules.
- The CSP and its customer are independently responsible for HIPAA
compliance. HHS recognizes that in some cases, requiring more than one
party to implement the same safeguards would be redundant. Organizations
can contract to share responsibility for implementing certain Security Rule
obligations.
- Requests for assurance of protections for PHI beyond what is expressly
required in the HIPAA regulations are increasingly common. Customers may
request documentation of security protections, audit rights, or other
information related to security practices. These requests and related
contractual provisions are permitted provided that their terms are
consistent with both entities’ HIPAA obligations.
- The use of CSPs outside the United States is not prohibited by HIPAA.
That said, the risks to PHI can vary depending on their geographic location
and outsourcing overseas can increase the risks and vulnerabilities in ways
that call for additional contractual protections. Such risks need to be
accounted for in the security risk analysis and risk management plans
required by the HIPAA Security Rule.
*How should entities respond to the guidance?*
HIPAA regulated entities using or providing cloud-based services should:
- Evaluate the services and identify when BAAs are required.
- Enter into a BAA as appropriate. OCR has made compliant BAAs an
enforcement priority, recently assessing a financial penalty of $2,700,000
and entering into a resolution agreement and corrective action plan
<http://www.hhs.gov/about/news/2016/07/18/widespread-hipaa-vulnerabilities-result-in-settlement-with-oregon-health-science-university.html>
with Oregon Health & Science University for allegedly storing the PHI of
more than 3,000 individuals on a cloud-based server without entering into a
BAA.
- Conduct risk analyses and establish risk management activities in
connection with the use or provision of the service.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161026/3f12fc97/attachment.html>
More information about the BreachExchange
mailing list