HIPAA Regulatory Alert: Are you in the cloud? Time to scrutinize agreements
Omnibus rule clarifies definition of cloud providers as business associates
Although healthcare organizations have been slower to adopt cloud-computing services than other industries,1 a recent study shows that 62% are using cloud services for some activities.2 However, 47% of respondents relying on the cloud are not confident that information is secure, and 23% are only somewhat confident.
The Health Insurance Portability and Accountability Act (HIPAA) omnibus rule addresses security concerns with expanded and clarified definitions of business associates (BAs) to include vendors who may transmit only data, a task performed by cloud service providers.
“Throughout the past two years of review and comment on the rule, cloud vendors insisted they be treated as a conduit of information and not as a business associate with access to data,” explains Cynthia J. Larose, Esq., an attorney and member of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo in Boston.
The actual conduit exception defined in the final rule is limited to companies such as wireless carriers, telephone companies, or delivery services such as FedEx, she explains. “Even if a cloud services provider is not contracted to work with the data of a client, the point is that the vendor has to have access to provide maintenance, upgrade service, or perform other operations.”
Identification of cloud service providers as business associates is not new, points out Anna L. Spencer, JD, an attorney with Sidley Austin in Washington, DC. “Even prior to HITECH [Health Information Technology for Economic and Clinical Health], the FAQ guidance on business associates indicated that companies that provided hosting or software services were considered business associates,” she explains. This fact was highlighted with the fine levied against Phoenix Cardiac Surgery for using a publicly accessible Internet calendar to schedule appointments and surgeries. One of the findings by the Office of Civil Rights (OCR) was that the practice “failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its ePHI.”3
The good news for hospitals and health systems is a “crystal clear” definition of cloud providers as business associates. The bad news is a critical need to review existing agreements with cloud providers to ensure they are held to the same standards as all business associates. “Covered entities must revisit all cloud vendor agreements,” recommends Larose. “Even if a cloud provider claims to be HITECH-compliant, the covered entity must ask for proof.” This proof includes documentation of a third-party assessment report certifying existence of privacy and security controls within the organization, a Statement on Standards for Attestation Engagements (SSAE) No. 16, she suggests.
While the SSAE provides proof of an assessment, it is not healthcare-specific, so require other documentation as well, suggests Andrew Hicks, MBA, CISA, CCM, CRISC, director and healthcare practice lead at Coalfire, a Louisville, CO-based independent IT governance, risk, and compliance firm. “The best proof is a HITRUST [Health Information Trust Alliance] certification,” he says. “It is specific to healthcare and covers privacy and security concerns.” Third-party reports should include documentation of penetration testing as well as vulnerability assessments, and all documentation should be requested annually, he adds. “The covered entity must hold the cloud service provider responsible for data.”
While all of this documentation should be in place at the start of any new contract, a covered entity should specify a timeframe in which existing vendors must prove compliance to continue the business arrangement, he recommends. (See story on this page for specific questions about security to ask a new vendor.)
Know downstream vendors
The omnibus rule also points out the business associate’s responsibility for downstream vendors, says Spencer.
“This is critical for healthcare organizations working with cloud providers because many companies presenting themselves as cloud vendors are offering services that run on other cloud platforms such as Google or Microsoft,” she says.
While the vendor with whom the hospital contracts has privacy and security controls in place, the actual platform provider might not, she explains. For this reason, make sure the cloud provider is asking for the same proof of compliance from its own vendors.
“Encryption is an interesting wrinkle in this conversation about cloud provider responsibilities,” says Spencer. “Theoretically, the cloud service provider’s access to data is not an issue if the healthcare organization transmits only encrypted data.” At this point, there is no guidance as to whether this type of encryption eliminates the business associate responsibility for the cloud provider, she adds.
“Encryption minimizes risk but doesn’t eliminate it, so don’t select a cloud provider who can’t produce the documentation you require, even if you plan to only transmit and store encrypted data,” says Spencer. If you are already working with a cloud services vendor who won’t produce the documentation you require, be ready to move to a new vendor. “This is not always easy to do,” she admits.
Although business associates are required to return or destroy data after termination, a hospital’s current contract might not identify the vendor as a business associate, and language in the contract might not address status of the data upon early termination. “Operationally, it may not be easy to switch to another vendor, but even if it is, be sure you know what happens to your data with the previous vendor,” she adds.
Ensuring compliance with security requirements might take time and effort, but the risks are great, Spencer points out. “It’s not just about OCR penalties. If a cloud service provider can’t meet security requirements, and a hospital continues to do business with the vendor, the hospital is financially responsible for all the costs of a breach, which can be sizable when a cloud services provider is involved.” (For more on the HIPAA omnibus rule, see “Final HIPAA rule increases penalties, liability for associates,” Healthcare Risk Management, March 2013, p. 25.)
1. CDW. Silver linings and surprises: CDW’s 2013 state of the cloud report. 2013. Accessed at http://webobjects.cdw.com/webobjects/media/pdf/CDW-2013-State-Cloud-Report.pdf.
2. Ponemon Institute. Third Annual Benchmark Study on Patient Privacy & Data Security. December 2012. Accessed at http://www2.idexpertscorp.com/assets/uploads/ponemon2012/Third_Annual_Study_on_Patient_Privacy_FINAL.pdf.
3. Department of Health and Human Services. HHS settles case with Phoenix Cardiac Surgery for lack of HIPAA safeguards. Press release. April 17, 2012. Accessed at http://www.hhs.gov/news/press/2012pres/04/20120417a.html.
For more information about cloud service providers as business associates, contact:
• Andrew Hicks, MBA, CISA, CCM, CRISC, Director and Healthcare Practice Lead, Coalfire, 361 Centennial Parkway, Suite 150, Louisville, CO 80027. Telephone: (303) 554-6333. Email: Andrew.email@example.com.
• Cynthia J. Larose, Esq., Member, Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, One Financial Center, Boston, MA 02111. Telephone: (617) 348-1732. Fax: (617) 542-2241. Email: firstname.lastname@example.org.
• David S. Linthicum, Founder and Chief Technical Officer, Blue Mountain Labs, 12969 Manchester Road, St. Louis, MO 6313. Telephone: (314) 373-3435. Email: email@example.com.
• Anna L. Spencer, JD, Partner, Sidley Austin, 1501 K St. NW, Washington, DC 20005. Telephone: (202) 736-8445. Email: firstname.lastname@example.org.
Is the cloud safe for healthcare?
Ask these questions to determine data security
The benefits of using cloud service providers include improved operating efficiencies as well as reduced costs related to infrastructure, when compared to more traditional, physical environments.
Ensuring data security, however, is more complex than traditional data storage systems, says David S. Linthicum, founder and chief technology officer of Blue Mountain Labs, information technology advisors in St. Louis, MO. As times go on and more healthcare organizations rely on cloud computing, regulations such as the omnibus rule will provide guidance on how health entities can ensure they are choosing a cloud service provider that is compliant with privacy and security regulations, Linthicum explains. “Until then, it is up to the healthcare organization to be skeptical and ask cloud providers to prove their ability to meet security requirements,” he says.
One of the first steps is to understand what service you are purchasing, suggests Linthicum. The cost-savings of cloud computing are related to the multi-tenant structure of the service. The cost benefit of cloud computing are related to multiple customers sharing the costs of transmitting and storing data. The multi-tenancy is something healthcare organizations need to understand. Some of the key questions to ask potential cloud service providers include:
• How are clients segmented?
Andrew Hicks, MBA, CISA, CCM, CRISC, director and healthcare practice lead at Coalfire, a Louisville, CO-based independent IT governance, risk, and compliance firm, says, “If it is one system with multiple tenants, there are firewalls between data, but healthcare organizations should ask how the cloud service provider ensures data is never mixed.”
Another key issue to address is how the cloud service provider can identify what data is involved if a breach occurs. Although the provider is not working directly with the data, it should be able to identify which client’s data was breached and the extent of the breach.
• Where is data stored?
Cynthia J. Larose, Esq., an attorney and member of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo in Boston, says, “Another significant concern that must be addressed in any agreement with a cloud service provider is the location of the data.”
Data with a cloud service provider is always moving from server farm to server farm, depending on demand for access and space on servers, Larose explains. “Many providers use server farms outside the U.S., where data security is not as regulated,” she says. “For this reason, healthcare organizations should specify that their data is never to be stored anywhere outside the U.S.”
• Do you work with healthcare or financial institutions?
It is helpful to work with a cloud service provider that understands healthcare privacy and security requirements, but a provider who handles financial transactions, such as credit cards, is accustomed to high levels of security, Hicks points out. “They also have systems in place to track location of data and correctly identify what information was affected by a breach,” he says.
Ask specifically about other healthcare clients, suggests Linthicum. “Request permission to contact their largest and most active healthcare clients for a reference,” he advises.
• What are your physical security protections?
Don’t just focus on data security while in storage or transmission, suggests Hicks. “Ask about controls that limit physical access to servers as well as employee access to data,” he says. Just as a hospital tries to ensure employees don’t carry unencrypted personal health information home on a laptop that can easily be lost, a cloud service provider should have physical safeguards as well as policies to protect your data.
• What are your disaster recovery procedures?
When asking about security protections, ask about disaster recovery plans as well, says Hicks.
“Understand what their disaster recovery plans include such as location of data and how easily accessible it is to you,” he says. In addition to making sure your data is secure in the event of a disaster, you also want to make sure continuity of your service is not affected, he adds.
While use of cloud computing can be a safe, cost-effective business solution for many healthcare organizations, it might not be right for everyone, admits Linthicum. “Each organization should evaluate their needs, costs of cloud versus other computing solutions, and their organization’s readiness to change,” he says.
If an organization enters into an agreement with a cloud services provider, be sure to define specific penalties and responsibilities for the provider, suggests Linthicum. “Healthcare is very wary of cloud computing, but there are benefits,” he says. “Each organization needs to weigh the risks and benefits to make the right choice based on individual need.”