Having patients feel safe sharing sensitive health information is critical to the future of informed population health. How can you ensure that you are compliant with the Health Insurance Portability and Accountability Act (HIPAA) when sharing this information with 3rd parties? If you are using a Cloud Service Provider, or are planning on using one soon, you may have a lot of questions about how to remain compliant and how to assure your CSP is, too.
The Department of Health and Human Services Office of Civil Rights (OCR) recently released guidance on HIPAA and cloud computing that clarifies that CSP’s are business associates under HIPAA. The guidance for CSP’s has been somewhat, well, cloudy, in the past. To simplify, if you’re involved with ePHI in any way – touching it, creating it, storing or maintaining it – you fall under the HIPAA Rules.
That means in addition to having a business associate agreement (BAA) in place you’ll want to understand your regulatory obligations with a CSP. We worked on a de-mystified version of the HHS’s cloud computing guidance for your reference.
6 Quick FAQs on HIPAA and Cloud Service Providers
1. I’m using a cloud service provider, but the ePHI that I send them is encrypted. Doesn’t that make them exempt from HIPAA rules?
No-view does not exempt you. Both you and your 3rd party CSP are subject to HIPAA if ePHI is involved.
2. We contracted a cloud service provider two months ago but our BAA isn’t finalized quite yet. We’re ok, right?
Remember the Oregon Health & Science University debacle? It cost OHSU $2.7 million because they didn’t have a BAA in place with their cloud service provider. Also, ignorance of how the CSP was used only buys you so much grace. So don’t count on “I didn’t know” being a defense.
3. Is it ok for doctors and other health care providers to use mobile devices to get to information in the cloud?
Yes, HIPAA rules allow it as long as the proper safeguards (including third party BAAs) are in place.
4. My BAA has expired with my CSP, what should I ask them to do with the ePHI?
Ask them to return or destroy all PHI “where feasible” per the Privacy Rule.
5. The servers running the cloud service aren’t in the US. Does HIPAA still apply?
And you still need a BAA. Be aware that OCR warns of increased risk to ePHI processed or stored outside of the US, especially if the server is in a country where cybersecurity risk is high.
6. Is your cloud service provider a business associate if the information they receive, process or store is de-identified?
Not if it was de-identified in accordance with the Privacy Rule.
More cloud service providers are touching ePHI every day. While the OCR provides sample Business Associate Contract provisions as they relate to the HIPAA Privacy, Security, Breach Notification and Enforcement Rules, it doesn’t state specifically how the contracted parties can be sure that the provisions are followed.
In order to ensure that your CSP is adequately protecting your data, you need to be vigilant about what you put in your BAA. It’s not uncommon for healthcare organizations go beyond HIPAA requirements in their BAAs, using the document as the basis for service level requirements, too. If your BAA is that comprehensive, check for language about how you want your partner to demonstrate compliance, as well as what cybersecurity requirements, if any, are specified.
If you’ve had the same standard contract for a while, review it.
- Can you audit their security program?
- Have there been any amendments since its inception?
- Did your contract change in light of last year’s record number of ransomware cyberattacks?
The last bullet is particularly relevant in light of the rampant rise of 2016’s cyberattacks, and record number of HIPAA fines and settlements. Not only do you need to ensure that you have developed a comprehensive privacy and information security compliance program that includes stringent safeguards against cyberattacks, so does your CSP.
Transparency promotes trust. If your CSP does have a compliance program, assure you have a system or process in place that allows you to easily keep an eye on their ongoing privacy and security actions. It’s reassuring for both parties, and can make a difference when called on to officially demonstrate you’re on top of privacy and security.
All signs from OCR encourages the use of cloud service providers “consistent with their HIPAA responsibilities.” Don’t shy away from using CSP’s – just ensure that you have the right BAA and oversight mechanisms in place.
This article was originally published on Ostendio and is republished here with permission.