Cloud storage and HIPAA compliance

December 20, 2018

In recent years, more and more healthcare providers are moving to cloud storage from the traditional on-premises storage options, mostly because of the ever increasing volume of data. This trend can only gain strength in future, especially with the advent of IoT based smart, connected devices which transmit real time data from hundreds of geographically dispersed devices and sensors. Population health data and associated analytics is another interest which is gathering momentum and for which cloud storage is particularly suitable. The 2017 HIMSS Analytics Essentials Brief: Cloud studied use of the cloud in a variety of healthcare organizations in US to understand about the prevalent awareness about cloud technology, its penetration, top services availed, top Cloud Service Providers (CSP) and why. According to the study, the top deciding factors while choosing a CSP are adherence to regulatory requirements such as HIPAA and HITECH, followed by the willingness to meet BAA requirements and technical security.

The latest Guidance on HIPAA & Cloud Computing issued by The Department of Health and Human Services' Office of Civil Rights (OCR) clearly addresses the scenario that has come about with this addition of yet another business into the healthcare ecosystem � that of the cloud service provider or CSP. The CSP's HIPAA obligations are just as important as those of the CE (Covered Entity - a healthcare provider, a health plan, a health care clearinghouse etc)

Here are a few salient points that the CE should keep in mind:

CSP services and the Business Associate Agreement (BAA)

A CSP may provide one or more of many services, from mere storage to full �fledged online EMR systems and application development environments. The CSP may be storing only encrypted ePHI and may not even have a decryption key. The ePHI may even be on servers overseas. Regardless, the CSP subcontractor automatically becomes a Business Associate (BA), must have a business associate agreement (BAA) signed with the healthcare provider (the Covered Entity or CE) and is directly liable for compliance with the applicable requirements of the HIPAA Rules. This is in addition to being contractually liable for meeting the terms of the BAA.

Failure to obtain the signed BAA from respective vendors is a common violation on the part of CE AND is penalized by HIPAA. This is an important point to note since the terms of some services of a CSP may involve access to PHI and so the CSP may be fined for HIPAA violation even f they did not view the data. Some CSPs may be unwilling to sign a BAA precisely for this reason.

Although the liability on the CSP as a no-view services provider (where the CSP has no access to the decryption key for the ePHI maintained by it) is slightly lighter, the CSP must still comply with the applicable standards and implementation specifications of the Security, Privacy and Breach Notification Rules with respect to ePHI. Even though the requirements are more flexible and scalable, they are just as important since encryption alone does not adequately secure the confidentiality, integrity, and availability of ePHI as mandated by HIPAA. The details to be included in a HIPAA compliant BAA are described here.

Regarding services involving de-identified data, the CSP is not required to be a BA, since such data is not considered protected health information as well as the exception case of a CSP acting as just a conduit or transmitter of ePHI and storing of data is on a temporary basis.

Understanding the solution offered

The CE should thoroughly understand the cloud computing environment or solution offered by a particular CSP. This includes the provisions for access control, the location of data (servers) at all times, encryption of data at all times (including backup), the inventory management of the ePHI storage devices, data backup plans, disaster recovery processes, restoration from backup etc. All in all, a CSP which provides detailed documentation for all the above would be a good choice since documentation implies that it is prepared for a full compliance audit.

The CE should conduct its own risk analysis and establish risk management policies to identify and assess potential threats and vulnerabilities to the confidentiality, integrity, and availability of all ePHI they create, receive, maintain, or transmit. This is applicable even if the cloud computing platform provider claims that their service is HIPAA compliant.

Crafting the Service Level Agreement

In case of a Service Level Agreement with a CSP, it should be ensured that the terms of the SLA are consistent with the BAA and the HIPAA Rules, addressing such HIPAA concerns as system availability, reliability, security responsibility, back-up and data recovery etc. The division of roles and responsibilities of the CE and the CSP as well as the steps taken by each towards achieving compliance to the IT security requirements should be formally recorded.

I've contracted with a great CSP. Is that all?

It is not enough that you sign a BAA with a HIPAA compliant CSP. It is the organization that needs to be HIPAA-compliant and a HIPAA compliant service/solution does not imply that. The onus lies on the CE to use the cloud based solution in a HIPAA compliant manner. This involves setting up a secure network environment, defences and firewalls, proper configuration, access controls, data access restrictions and other customizations as applicable to the particular context. Relying on default settings is a strict no-no.Else, if and when there is a breach, the CE would be held in violation and not the CSP.

Conclusion

All in all a Cloud Service Provider handling ePHI has just as many reasons to take HIPAA seriously as the Covered Entity itself and is fully responsible for being aware of not only own responsibilities regarding HIPAA compliance measures but also those of the CE that it is contracting with.