The digital world has migrated to the Cloud, on both personal and business levels. But for “covered entities” and “business associates” subject to the Health Insurance Portability and Accountability Act regime, better known by the moniker of “HIPAA”, many CE and BA’s must often determine how (and whether) they can take advantage of cloud computing while still complying with HIPAA’s specific Rules.
In response, the US Department of Health and Human Services (“HHS”), through it’s enforcement Office for Civil Rights (“OCR”) has recently issued important guidance to assist organizations, including cloud service providers (“CSPs”), in approaching and understanding their HIPAA obligations. The OCR guidance presents key questions and answers regarding 11 detailed scenarios, in a Q&A format, to assist HIPAA-regulated CE, BAs and CSPs in examining responsibilities under the various HIPAA Rules when they create, receive, maintain, or transmit electronic protected health information using cloud products and services.
The guidance is available on OCR’s website at: http://www.hhs.gov/hipaa/for-professionals/special-topics/cloud-computing/index.html with additional FAQs found under “Business Associates – Cloud Computing” at: http://www.hhs.gov/hipaa/for-professionals/faq/business-associates
What does it mean in summary?
Whenever Protected Health Information (“PHI”) is stored, transferred or processed in a CSP scenario it is vital that the requirements of the HIPAA/HITECH Privacy and Security rules be considered and that it is confirmed that a “modern” current Business Associate Agreement (“BAA”) is in place reflecting the requirements of the 2013 Omnibus Final Rule.
Many companies have long-standing vendor relationships with a blizzard of different agreements between the company and the vendor.
BAA’s are often entered into and then forgotten unless something brings the need and issue to the fore. “We already have a BAA in place ….” That may not be good enough, if the BAA is utilizing an older form or was put into place more than 3 years ago.
- Mainly because…
HHS/OCR has recently taken a clear and vocal hard line on policing that accurate and update to date BAAs are in place.
For example, last month HHS/OCR reached a highly publicized settlement with a HIPAA Covered Entity in which the CE paid OCR a $400,000 fine because its BAA’s with vendors did not reflect the updated requirements of the 2013 Omnibus Final Rule and had not been updated since 2005. See http://www.hhs.gov/about/news/2016/09/23/hipaa-settlement-illustrates-importance-of-reviewing-updating-business-associate-agreements.html
Cloud services and CSPs offer many benefits to companies, but cloud services can never be entered into, at least when any PHI is involved, lightly, or without full due diligence of the CSP’s security and contractual requirements to align with HIPAA and BAA requirements. Reviewing and ensuring that CSP contracts meet HIPAA’s (and other state and federal data security requirements, see NYDFS’s recent Cybersecurity Regulations) is neither a trivial nor always easy task.