[BreachExchange] New HHS Guidance Makes Clear HIPAA Applies in the Cloud

[Inga Goddijn]

http://www.hldataprotection.com/2016/10/articles/health-privacy-hipaa/new-hhs-guidance-makes-clear-hipaa-applies-in-the-cloud/

Cloud service providers are on notice: you are HIPAA business associates,
even if you are unable to access the HIPAA protected information in your
cloud. The Department of Health and Human Services (HHS) Office for Civil
Rights (OCR) released guidance making clear that cloud service providers
(CSPs) that create, receive, maintain, or transmit electronic protected
health information (PHI) are covered by HIPAA.

The guidance is notable for its broad scope.  Whether a CSP offers a simple
cloud storage solution or a complex interactive application for managing
electronic medical records, it should consider whether its business
maintains PHI. If it does, it will need to enter into business associate
agreements (BAAs) and implement an effective HIPAA compliance program.
Likewise, HIPAA covered entities (CEs) must determine whether the services
provided to them by CSPs give rise to HIPAA obligations. OCR’s latest
guidance clarifies how and when HIPAA applies in the cloud service context.

*Cloud Service Providers are Business Associates*

   - *HIPAA rules apply even if a CSP cannot access the PHI that it stores.*
   HIPAA applies even if the CSP has no access to the ePHI it holds.  These
   “no-view services,” in which a CSP stores encrypted information on behalf
   of a covered entity or business associate and does not have the encryption
   key, trigger the need for a BAA.  Even where the data owner is the sole
   party with access to the information, CSPs are not exempt from their HIPAA
   obligations as a business associate.  The HIPAA obligations are scalable
   and may be shared with customers.
   - *The conduit exception does not apply.*  The guidance emphasizes that
   CSPs typically do not qualify for the HIPAA “conduit exception.” That
   exception applies only to entities providing transmission services, and a
   CSP that stores PHI, even if a “no-view service,” would not be considered a
   conduit.
   - *Mobile devices are within scope.*  CSPs providing services that
   function with mobile devices such as phones or tablets are covered.  BAAs
   must be in place with any CSPs that are storing or will have access to the
   PHI.  OCR previously released separate guidance
   <http://www.hldataprotection.com/2016/02/articles/health-privacy-hipaa/ocr-releases-mhealth-guidance-for-app-developers/>
   on using and securing PHI on mobile devices that complements the cloud
   computing guidance.

*Key HIPAA Compliance Obligations for Cloud Service Providers*

CSPs will need to enter into BAAs and comply with the HIPAA Security rule
and parts of the HIPAA privacy regulations.  Key compliance obligations
include:

   - report any security incidents or breaches of unsecured PHI of which
   they become aware to their customers, with limited exception;
   - return or destroy any PHI in their possession at the end of the
   effective term of a BAA, where feasible; and
   - consistent with the governing BAA, make PHI available as necessary for
   the CE to meet its obligations to provide individuals with their rights to
   access, amend, and receive an accounting of disclosures of PHI.

If a CSP does not know that a customer is storing PHI in its cloud, an
affirmative defense to allegations of a HIPAA violation is available,
provided that the CSP takes corrective action essentially at the time that
it knows or should know that it is storing the PHI.

*HIPAA Obligations in the Cloud Environment Can Vary and Should be
Addressed in Contracts*

   - CSPs storing PHI should execute business associate contracts with
   customers.  Note, however, that even if a BAA is not in place, CSPs storing
   PHI are required to comply with all applicable provisions of the HIPAA
   rules.
   - The CSP and its customer are independently responsible for HIPAA
   compliance. HHS recognizes that in some cases, requiring more than one
   party to implement the same safeguards would be redundant. Organizations
   can contract to share responsibility for implementing certain Security Rule
   obligations.
   - Requests for assurance of protections for PHI beyond what is expressly
   required in the HIPAA regulations are increasingly common.  Customers may
   request documentation of security protections, audit rights, or other
   information related to security practices.  These requests and related
   contractual provisions are permitted provided that their terms are
   consistent with both entities’ HIPAA obligations.
   - The use of CSPs outside the United States is not prohibited by HIPAA.
   That said, the risks to PHI can vary depending on their geographic location
   and outsourcing overseas can increase the risks and vulnerabilities in ways
   that call for additional contractual protections.  Such risks need to be
   accounted for in the security risk analysis and risk management plans
   required by the HIPAA Security Rule.

*How should entities respond to the guidance?*

HIPAA regulated entities using or providing cloud-based services should:

   - Evaluate the services and identify when BAAs are required.
   - Enter into a BAA as appropriate.  OCR has made compliant BAAs an
   enforcement priority, recently assessing a financial penalty of $2,700,000
   and entering into a resolution agreement and corrective action plan
   <http://www.hhs.gov/about/news/2016/07/18/widespread-hipaa-vulnerabilities-result-in-settlement-with-oregon-health-science-university.html>
   with Oregon Health & Science University for allegedly storing the PHI of
   more than 3,000 individuals on a cloud-based server without entering into a
   BAA.
   - Conduct risk analyses and establish risk management activities in
   connection with the use or provision of the service.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161026/3f12fc97/attachment.html>