HIPAA and the Age of Cloud Computing
HIPAA Compliance Defense Attorneys Discuss the Age of Cloud Computing
Computers are so ubiquitous that most people cannot imagine muddling through everyday life without finding some reason to fire one up. Computers have evolved over time from huge machines that could take up an entire room into devices that easily fit in the palm of a person’s hand. People use computers for a multitude of reasons. Computers can be used to communicate with loved ones, to shop, to get turn by turn driving directions, and to store volumes upon volumes of data.
Healthcare providers, like many businesses, have taken advantage of computers to facilitate the delivery of services to their clients, the patient, and improve upon their business model. There is a growing trend for providers to move away from documenting healthcare services in a paper file and begin using an electronic medical record (EMR). Also, for years now, providers have had the ability to submit electronic claims to payers and receive payments for those claims electronically. The use of a computer to create a medical record or submit a claim can substantially reduce the amount of cabinet space a provider may use in the office for storage of paper files.
While physical storage needs become less of a concern, computers can only store so much information on their individual hard drives. This presents a new problem – how can providers safely store the mountains of health information they obtain and maintain compliance under HIPAA? Enter the world of cloud computing. Cloud computing is a type of Internet-based computing that provides shared computer processing resources and data to computers and other devices on demand. Cloud computing would allow a provider to store volumes of health information electronically without taxing the hard drive space of the computers in the office. Can providers do this? Can this concept be implemented while still maintaining HIPAA compliance? It appears the answer is yes. More importantly, HHS appears to agree. In order to demonstrate why that appears to be the answer, we must first look at HIPAA and its requirements.
HIPAA was established in 1996 by the U.S Department of Health and Human Services (HHS) in order to establish, for the first time, a national set of standards for the protection of certain health information. The goal of HIPAA is to assure that individual’s health information is properly protected while allowing the sharing of that same information for the purpose of delivering high quality healthcare. By design, HIPAA is both comprehensive, yet flexible.
HIPAA is broken in to two separate parts, the Privacy Rule and the Security Rule. The Privacy Rule addresses the use and disclosure of individual’s protected health information, or PHI, by organizations subject to the rule, as well as standards for individuals’ privacy rights to understand and control how their health information is used. The Privacy Rule is codified in 45 CFR Part 160 and Part 164, Subparts A and E. The Security Rule establishes a set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule provides guidance on the technical and non-technical safeguards entities must put in place to secure the individual’s electronic protected health information, e-PHI. The Security Rule is codified in 45 CFR Part 160 and Part 164, Subparts A and C. Violations of HIPAA, either under the Privacy or Security Rules, is enforced by HHS Office for Civil Rights (OCR), who enforce the Act through voluntary compliance activities or civil monetary penalties (CMP).
Relevant HIPAA Sections and Cloud Computing Application
While healthcare providers are responsible for complying with all the provisions under HIPAA, the concept of cloud computing implicates several that should be specifically addressed. Generally speaking, all providers dealing with health information must ensure the confidentiality, integrity, and availability of all e-PHI it creates, receives, maintains, or transmits. The provider must also protect against any reasonably anticipated uses or disclosures.
In order to help providers achieve these mandates, HHS has established guidance on administrative, physical, and technical safeguards. Under the administrative safeguards, providers are advised that they must ensure all members of its workforce have appropriate access to e-PHI and prevent those workforce members who do not have access from obtaining access to e-PHI. Also, if an employee of the provider is terminated, the provider must have procedures in place for terminating that employee’s access to e-PHI. Finally, providers must have a contingency plan in place in order to protect e-PHI in case of fire, vandalism, system failure, or natural disaster. This administrative safeguard requires providers to establish a data back-up plan and disaster recovery plan.
Cloud service providers (CSP) offer the ability for providers to separate various users and user access within the providers cloud domain. CSP’s may also allow a provider the ability to empower a single employee (or an employee and alternate) with the ability to edit personnel access to the e-PHI. As a result of this cloud capability, a provider may be able to comply with the administrative safeguards related to restricting access and terminating employees. Since the e-PHI is stored in the cloud, as opposed to being stored on hardware at the provider’s location, the use of cloud computing allows the provider to easily have a contingency plan in place if fire or natural disaster at the provider’s location affects the practice.
Under the physical safeguards section of HIPAA, a provider is responsible for implementing procedures that govern the receipt and removal of hardware and electronic media that contain e-PHI. Under this standard, providers must address the final disposition of e-PHI and the hardware or electronic media on which it is store; as well as implement procedures for the removal of e-PHI from electronic media before it is made available for re-use.
Through the use of cloud computing, a provider would substantially decrease the dangers of e-PHI being left on hardware or electronic media. Instead of storing e-PHI on a computer hard drive or some sort of external drive that would need to be cleared of all e-PHI before transferring to another employee, the e-PHI is stored on in a cloud maintained by a CSP. The e-PHI is no longer accessed through the use of a specific device but through access granted to specific employees. Unintentional transfer of e-PHI can be reduced or completely done away with.
The final safeguard requirements imposed upon providers by HIPAA is the technical safeguards. Under this standard providers must create procedures for electronic information systems (EIS) that maintain e-PHI to allow access only to those persons or software programs that have been granted access rights. Providers must also implement systems that record and examine activity in the EIS that contain e-PHI. Finally, HIPAA requires that providers have procedures in place to prevent the improper alteration and destruction of e-PHI and to verify the person accessing the e-PHI is authorized to.
CSP’s can offer customers a number of account monitoring services. A provider, through the use of a CSP can track who signs into the system where e-PHI is stored. Some systems can be set up to alert an administrator when a new employee is granted access or a previously terminated employee has regained access. The monitoring capabilities offered by certain CSP’s appear to help providers meet the standards established technical safeguards of HIPAA.
Rules Pertaining to Business Associates
HIPAA allows providers to share e-PHI with outside agencies if certain conditions are met. These outside agencies are referred to as business associates. A business associate is a person or organization, other than an employee of the provider that performs certain functions or services on behalf of the provider. Functions and services performed by a business associate include claims processing, data analysis, consulting, data aggregation, management, administration, or financial services.
Providers can share e-PHI with a business associate and allow that business associate to create, receive, maintain, or transmit the e-PHI on the provider’s behalf if the provider obtains satisfactory assurances that the business associate will safeguard the e-PHI in a manner consistent with HIPAA. Satisfactory assurances must be provided, in writing, through a written contract or other written agreement. This is typically referred to as a Business Associates Agreement, or BAA. The BAA between the provider and the business associate must establish the permitted and required uses of the e-PHI; as well as prevent the business associate from improper disclosure. The statute lists a multitude of other requirements for the contract, all of which reinforce the fact that the business associate is held to the same standard as the provider under HIPAA.
Since the CSP would be receiving and maintaining e-PHI from the provider, the CSP would be considered a business associate. HIPAA allows this type of transaction so long as a BAA is signed by the parties. Once an appropriate BAA is signed, the provider may then engage the services of the CSP and transmit the e-PHI for maintenance by the CSP.
HHS Opinion on Cloud Computing and HIPAA
Due to the proliferation of cloud computing solutions, HHS decided to provide guidance to those covered by HIPAA on the proper use of cloud computing under the law. HHS’s opinion can be found on their website and according to them, providers can used cloud services to store or process e-PHI so long as the entities enter into an acceptable BAA. HHS, through the OCR, has drafted guidance on what they consider to be the proper elements of a BAA. HHS suggests that, in addition to the BAA, the provider should have the CSP sign a Service Level Agreement (SLA) to address more specific business expectations. The SLA can address issues such as system availability and reliability, back-up and data recover, manner in which data will be returned to the custom, and use, retention and disclosure limitations. HHS indicates that providers who appropriately enter into a BAA with a CSP can access the e-PHI through use of a mobile device. Providers can even use CPS’s that store the e-PHI on servers located outside the United States.
HHS does warn that the provider and CSP must enter into a BAA before the transmission of e-PHI. If the transmission occurs prior to the BAA, both the provider and CSP are subject to penalties that can equate to $100 to $50,000 or more per violation, with a $1,500,000 cap per calendar year.
HHS appears to recognize the benefits of cloud computing; going so far as to offer an opinion on how providers can incorporate it into their practice while maintaining compliance under HIPAA. In their opinion, HHS emphasizes the importance of obtaining a valid BAA and even suggests providers enter into a SLA to further define the contractual relationship with CSA. Providers wishing to utilize a CSP to store e-PHI must understand the important contractual obligations the BAA and SLA create for both parties. Once this contractual relationship is created, providers can take advantage of cloud computing services and know that they are still HIPAA compliant.
Dr. Nick Oberheiden, founder of Oberheiden P.C., focuses his litigation practice on white-collar criminal defense, government investigations, SEC & FCPA enforcement, and commercial litigation.