By Laura Gerdes Long
Co-authored by Laura Gerdes Long and Katherine M. Flett
Our ever-evolving technological society is raising new questions about how to reconcile complex health data protection laws with cloud storage. Storage of data in the “cloud” allows users to store, maintain, and manage data remotely on the internet. Its advantages include accessibility of the cloud-stored data from any location via the internet, emergency back-up capacity, and even cost savings. An online search for HIPAA-compliant cloud storage companies reveals that there is no shortage of companies who advertise their “HIPAA-compliant cloud services.” It is important to remember that working with a company who claims their cloud storage “is HIPAA compliant,” does not excuse you from meeting HIPAA requirements. Due diligence is required when selecting such a company and entering into appropriate contractual arrangements with the companies.
The Department of Health and Human Services’ Office for Civil Rights (“OCR”) is responsible for overseeing protection of sensitive health data under the Health Insurance Portability and Accountability Act, as amended (“HIPAA”). OCR issued guidance on October 6, 2016, explaining how to safeguard electronic health information protected by HIPAA in today’s widespread cloud networking environment.
HIPAA applies to “covered entities,” and this article will focus on one such covered entity, the health care provider. Most health care providers do not perform all of their health care functions by themselves and instead often use a range of services offered by others, called “business associates” under HIPAA. Health care providers are permitted to disclose protected health information (“PHI”) to these business associates (“BA”) as long as they obtain satisfactory assurances that the BA will use the information only for the purposes for which it was engaged by the health care provider, will safeguard the information from misuse, and will help the health care provider comply with some of the health care provider’s duties under HIPAA, through the execution of business associate agreements.
The new guidance establishes that cloud storage companies are considered BAs under HIPAA and clarifies that BAs are not considered “mere conduits,” which are excepted from the privacy regulations of HIPAA. The mere conduit exception applies only where the service provided is the transmission of electronic protected health information (“ePHI”) and not its storage, other than on a temporary basis incident to the transmission service. Unlike mere conduits, cloud storage companies maintain ePHI for storage purposes and have “more persistent access to the ePHI.” The guidance further explains that even if the cloud storage company stores only encrypted ePHI and does not have access to the encrypted data, the cloud storage company is still considered a BA.
As such, the guidance warns that health care providers may use cloud companies to store or process ePHI, provided that the health care provider enters into a business associate agreement with the cloud storage company which will establish the permitted and required uses and disclosures of ePHI, and require the cloud storage company to appropriately safeguard ePHI. The business associate agreement also must require the cloud storage company to report to the health care provider any security incidents of which it becomes aware. The guidance reiterates that cloud storage companies are both contractually liable for meeting the terms of the business associate agreement and directly liable for compliance with the applicable requirements of HIPAA.
As for mobile devices, the guidance states that health care providers may use mobile devices to access ePHI in a cloud as long as appropriate physical, administrative, and technical safeguards are in place to protect the confidentiality, integrity, and availability of the ePHI and appropriate business associate agreements are in place with any third-party service providers for the device. Additional guidance has been issued regarding the security of ePHI on mobile devices.
Ultimately, it is vitally important for health care providers to recognize that, despite the countless companies who advertise that their cloud storage services are “HIPAA-compliant,” OCR does not require or formally recognize any HIPAA certification programs for cloud storage companies. Therefore, it is imperative that any health care provider engaging a cloud storage company understands the cloud computing environment and solutions being offered by such companies, so the health care provider may appropriately conduct its own risk analysis and establish risk management policies, as well as enter into appropriate business associate agreements to ensure that the cloud storage company complies with HIPAA requirements.
You may read the new guidance on the intersection of HIPAA and cloud storage here.
Posted by Attorneys Laura Gerdes Long and Katherine M. Flett. Long practices in tort, insurance defense, legal malpractice, health care, and employment law. Well-versed in employment law policies and processes related to HIPAA, she serves as a trainer and advisor to health care providers, insurers, self-insured employers, and municipalities. Flett is a member of the litigation team focusing on assisting clients with matters relating to business, civil, and commercial litigation.
01/9/17 12:14 PM
Filed under Health Care, HIPAA, Technology | Comment (0)