hipaa cloud computing guidance - davis wright tremaine · hipaa cloud computing guidance hhs office...
TRANSCRIPT
dwt.com
HIPAA Cloud Computing Guidance
Adam Greene, JD, MPHPartner
Rebecca Williams, BSN, JDPartner
dwt.com
Nature is a mutable cloud which is always and never the same
Ralph Waldo Emerson
2
dwt.com
Agenda
A few historical notes FAQs in Guidance Considerations
– For Covered Entity and Business AssociateCustomers
– For Cloud Service Providers
Questions
3
dwt.com
History of HIPAA and Cloud Computing
Pre‐2013 – Question over whether a cloud service provider (“CSP”) is business associate (“BA”)– Definition of BA required “use or disclosure” of individually
identifiable health information on behalf of covered entity (“CE”)
– Potentially a “conduit,” which transports PHI, with access only on random or infrequent basis; transient nature
HIPAA Omnibus Rule (released January 2013)– Revised definition of BA to include entity that creates, receives,
maintains, or transmits protected health information (“PHI”) on behalf of CE or BA
– Did not use term “cloud,” but referred to data storage companies
4
dwt.com
HIPAA Cloud Computing Guidance
HHS Office for Civil Rights (“OCR”) released cloud computing guidance on 10/6/16
Primarily a series of FAQs
Confirmed that CSPs that create, receive, maintain, or transmit PHI are BAs
5
dwt.com
1. May a CE/BA use a CSP to store or process ePHI?
Yes!
6
dwt.com
1. May a CE/BA use a CSP to store or process ePHI?
Must enter business associate agreement (“BAA”) (obligation primarily falls on customer)
Both CE/BA customer (“customer”) and CSP should conduct a risk analysis
Customer should consider how cloud configuration (e.g., public, hybrid, private, etc.) affects its risk analysis
7
dwt.com
Any Service Level Agreement should be consistent with BAA and HIPAA
CSP cannot withhold customer access to ePHI
CSP is directly subject to certain HIPAA provisions (e.g., Security Rule, impermissible uses and disclosures)
8
1. May a CE/BA use a CSP to store or process ePHI?
dwt.com
Remaining questions: Does this apply to colocation services?
Storage of voicemail or text messages by a telecom?
9
1. May a CE/BA use a CSP to store or process ePHI?
dwt.com
2. If a CSP stores only encrypted PHI and does not have a decryption key, is it a BA?
Yes, CSP receives and maintains PHI
Even though CSP cannot view PHI– Called “No View Services”
Outstanding issue with OCR, but now resolved
Encryption significantly reduces risk
But, HIPAA safeguards still needed
10
dwt.com
2. No View Services – Security
Flexible & scalable to address no view services
Some security safeguards may be satisfied for both parties through the actions of one– Suggests confirming responsibilities of each party in writing
CSP not responsible for compliance failures attributable solely to the customer– Facts & circumstances
11
dwt.com
2. No View Services – Privacy & Breach
Still bound by use and disclosure restrictions– May not “impermissibly use” PHI by blocking or terminating customer access
Address individual rights of access, amendment, and accounting of disclosures
Notification of breach of unsecured PHI– May meet encryption safe harbor but what if encryption does not meet NIST specifications?
12
dwt.com
3. Can a CSP be a conduit?
Generally, no
13
dwt.com
3. Can a CSP be a conduit?
Scenario 1 – Internet Service Provider (“ISP”) provides only conduit services to Customer A. Provides only data backup to Customer B.– Not a BA of Customer A.
– BA of Customer B for maintained and transmitted PHI.
Scenario 2 – ISP provides Customer A with: (1) transmission services; and (2) data backup services.– Guidance suggests ISP is a BA for both data backup and transmission services.
– If transmission services are truly separate, there may be reasonable argument that they fall under conduit exception.
14
dwt.com
3. Can a CSP be a conduit?
Remaining questions: What is “temporary” for purposes of distinguishing between conduit and CSP? 30 days?
Can a CSP provide both BA services and “conduit” services to the same customer?
15
dwt.com
4. Which CSPs offer HIPAA-compliant cloud services?
“OCR does not endorse, certify, or recommend specific technology or
products”
16
dwt.com
5. What if no BAA?
Customer is violating HIPAA.
CSP has a choice:1. Come into compliance with HIPAA; or
2. Securely return PHI to customer or, if agreed to by the customer, securely destroy the PHI.
CSP generally must complete action within 30 days to qualify for affirmative defense to penalties.
17
dwt.com
5. What if no BAA?
Remaining questions: What if unsure? For example, discovers a breach involves ABC Medical Practice, but does not have a BAA. Does not know if breach involves PHI.
If customer is nonresponsive, can CSP terminate account and delete the data?
18
dwt.com
6. If a CSP experiences a security incident involving ePHI, must it report the incident to the CE/BA?
Yes
Security Incident: attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system
19
dwt.com
6. Must CSP report security incidents to its CE/BA customers? Under HIPAA, BAs must
– Identify and respond to security incidents
– Mitigate, to the extent practicable
– Document security incidents and their outcome
Under HIPAA, BAs must report when security incident rises to the level of a breach Under BAA, BAs must report to their CE/BA any security incidents of which they become aware
20
dwt.com
6. Must CSP report security incidents to its CE/BA customers?
Flexibility on reporting of security incidents
Parties may work out the level of detail, frequency, or format of reports (e.g., based on risk to PHI)
Remaining questions:– Is advanced notice in the BAA sufficient?
21
dwt.com
7. Does HIPAA allow using mobile devices to access ePHI in the cloud?
Yes
22
dwt.com
8. Does HIPAA require a CSP to maintain ePHI for some time period beyond when it has finished providing services to CE/BA?
No
23
dwt.com
9. Are overseas BAs allowed?
Yes
Consider any additional risks in risk analysis
24
dwt.com
9. Are overseas BAs allowed?
Remaining questions: Does this mean that every BA must be separately addressed in risk analysis?
Is overseas BA directly subject to HIPAA?
25
dwt.com
10. Does HIPAA require CSPs that are BAs to provide documentation or allow auditing of their security practices by customers?
No
No HIPAA right for a customer to audit CSP or to require the CSP to provide security documentation, such as security questionnaires
Note the CSP is directly liable for – Failure to safeguard ePHI under the Security Rule
– Impermissible uses and disclosures of PHI under the Privacy Rule
BAA requires appropriate safeguards
26
dwt.com
10. Must CSPs provide documentation to or allow auditing of their security practices by customers?
CE/BA may request additional assurances from CSP based on own risk analysis, risk management, other compliance activities
Remaining questions:– What are a CE/BA’s “due diligence” obligations for a CSP?
– Are there monitoring or auditing expectations?
27
dwt.com
11. If a CS receives and maintains only information that has been de-identified in accordance with the HIPAA Privacy Rule, is it a BA?
CSP is not a BA if only handles de‐identified information
28
dwt.com
Covered Customer Considerations
Understand cloud services and environment
Identify all uses of CSPs – both authorized and unauthorized
Include CSPs in risk analysis and risk management
Have BAA in place with CSP
– Verify that SLA or service agreement is consistent with HIPAA
– Address customer and CSP obligations
Understand SLA/service agreement
– Understand capabilities and limitations of the CSP and its services
Consider due diligence and monitoring of CSP – even though the CSP is not required to respond
Encrypt, encrypt, encrypt
29
dwt.com
CSP Considerations
Conduct a risk analysis and risk management plan. Treat all PHI as subject to HIPAA, even encrypted PHI. Create plan for responding to PHI where it doesn’t belong – e.g., come into compliance with HIPAA or require removal.
Consider addressing how security responsibilities should be delegated and how customer is notified of responsibilities.
Consider how to address privacy challenges (e.g., amendment requests) if you do not access PHI.
Don’t withhold access to PHI!
30
dwt.com
What’s Not Addressed
Where breach is on cloud but not CSP’s fault, does CSP end up on HHS breach website?
Any due diligence or monitoring required in addition to BAA?
31
dwt.com
Questions
32
dwt.com
For questions …
33
Becky Williams206.757.8171
Adam Greene202.973.4213