dwt.com

HIPAA Cloud Computing Guidance

Adam Greene, JD, MPHPartner

Rebecca Williams, BSN, JDPartner

dwt.com

Nature is a mutable cloud which is always and never the same

Ralph Waldo Emerson

2

dwt.com

Agenda

A few historical notes FAQs in Guidance Considerations

– For Covered Entity and Business AssociateCustomers

– For Cloud Service Providers

Questions 

3

dwt.com

History of HIPAA and Cloud Computing

Pre‐2013 – Question over whether a cloud service provider (“CSP”) is business associate (“BA”)– Definition of BA required “use or disclosure” of individually 

identifiable health information on behalf of covered entity (“CE”)

– Potentially a “conduit,”  which transports PHI, with access only on random or infrequent basis; transient nature

HIPAA Omnibus Rule (released January 2013)– Revised definition of BA to include entity that creates, receives, 

maintains, or transmits protected health information (“PHI”) on behalf of CE or BA

– Did not use term “cloud,” but referred to data storage  companies

4

dwt.com

HIPAA Cloud Computing Guidance

HHS Office for Civil Rights (“OCR”) released cloud computing guidance on 10/6/16

Primarily a series of FAQs

Confirmed that CSPs that create, receive, maintain, or transmit PHI are BAs

5

dwt.com

1. May a CE/BA use a CSP to store or process ePHI?

Yes!

6

dwt.com

1. May a CE/BA use a CSP to store or process ePHI?

Must enter business associate agreement (“BAA”) (obligation primarily falls on customer)

Both CE/BA customer (“customer”) and CSP should conduct a risk analysis

Customer should consider how cloud configuration (e.g., public, hybrid, private, etc.) affects its risk analysis

7

dwt.com

Any Service Level Agreement should be consistent with BAA and HIPAA

CSP cannot withhold customer access to ePHI

CSP is directly subject to certain HIPAA provisions (e.g., Security Rule, impermissible uses and disclosures)

8

1. May a CE/BA use a CSP to store or process ePHI?

dwt.com

Remaining questions: Does this apply to colocation services?

Storage of voicemail or text messages by a telecom?

9

1. May a CE/BA use a CSP to store or process ePHI?

dwt.com

2. If a CSP stores only encrypted PHI and does not have a decryption key, is it a BA?

Yes, CSP receives and maintains PHI

Even though CSP cannot view PHI– Called “No View Services”

Outstanding issue with OCR, but now resolved

Encryption significantly reduces risk

But, HIPAA safeguards still needed

10

dwt.com

2. No View Services – Security

Flexible & scalable to address no view services

Some security safeguards may be satisfied for both parties through the actions of one– Suggests confirming responsibilities of each party in writing 

CSP not responsible for compliance failures attributable solely to the customer– Facts & circumstances

11

dwt.com

2. No View Services – Privacy & Breach

Still bound by use and disclosure restrictions– May not “impermissibly use” PHI by blocking or terminating customer access

Address individual rights of access, amendment, and accounting of disclosures

Notification of breach of unsecured PHI– May meet encryption safe harbor but what if encryption does not meet NIST specifications?

12

dwt.com

3. Can a CSP be a conduit?

Generally, no

13

dwt.com

3. Can a CSP be a conduit?

Scenario 1 – Internet Service Provider (“ISP”) provides only conduit services to Customer A. Provides only data backup to Customer B.– Not a BA of Customer A.

– BA of Customer B for maintained and transmitted PHI.

Scenario 2 – ISP provides Customer A with: (1) transmission services; and (2) data backup services.– Guidance suggests ISP is a BA for both data backup and transmission services.

– If transmission services are truly separate, there may be reasonable argument that they fall under conduit exception.

14

dwt.com

3. Can a CSP be a conduit?

Remaining questions: What is “temporary” for purposes of distinguishing between conduit and CSP? 30 days?

Can a CSP provide both BA services and “conduit” services to the same customer?

15

dwt.com

4. Which CSPs offer HIPAA-compliant cloud services?

“OCR does not endorse, certify, or recommend specific technology or 

products”

16

dwt.com

5. What if no BAA?

Customer is violating HIPAA.

CSP has a choice:1. Come into compliance with HIPAA; or

2. Securely return PHI to customer or, if agreed to by the customer, securely destroy the PHI.

CSP generally must complete action within 30 days to qualify for affirmative defense to penalties.

17

dwt.com

5. What if no BAA?

Remaining questions: What if unsure? For example, discovers a breach involves ABC Medical Practice, but does not have a BAA. Does not know if breach involves PHI.

If customer is nonresponsive, can CSP terminate account and delete the data?

18

dwt.com

6. If a CSP experiences a security incident involving ePHI, must it report the incident to the CE/BA?

Yes

Security Incident:  attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system  

19

dwt.com

6. Must CSP report security incidents to its CE/BA customers? Under HIPAA, BAs must

– Identify and respond to security incidents

– Mitigate, to the extent practicable

– Document security incidents and their outcome

Under HIPAA, BAs must report when security incident rises to the level of a breach Under BAA, BAs must report to their CE/BA any security incidents of which they become aware

20

dwt.com

6. Must CSP report security incidents to its CE/BA customers?

Flexibility on reporting of security incidents

Parties may work out the level of detail, frequency, or format of reports (e.g., based on risk to PHI)

Remaining questions:– Is advanced notice in the BAA sufficient?

21

dwt.com

7. Does HIPAA allow using mobile devices to access ePHI in the cloud?

Yes

22

dwt.com

8. Does HIPAA require a CSP to maintain ePHI for some time period beyond when it has finished providing services to CE/BA?

No

23

dwt.com

9. Are overseas BAs allowed?

Yes

Consider any additional risks in risk analysis

24

dwt.com

9. Are overseas BAs allowed?

Remaining questions: Does this mean that every BA must be separately addressed in risk analysis?

Is overseas BA directly subject to HIPAA?

25

dwt.com

10. Does HIPAA require CSPs that are BAs to provide documentation or allow auditing of their security practices by customers?

No

No HIPAA right for a customer to audit CSP or to require the CSP to provide security documentation, such as security questionnaires

Note the CSP is directly liable for – Failure to safeguard ePHI under the Security Rule

– Impermissible uses and disclosures of PHI under the Privacy Rule

BAA requires appropriate safeguards

26

dwt.com

10. Must CSPs provide documentation to or allow auditing of their security practices by customers?

CE/BA may request additional assurances from CSP based on own risk analysis, risk management, other compliance activities

Remaining questions:– What are a CE/BA’s “due diligence” obligations for a CSP?

– Are there monitoring or auditing expectations?

27

dwt.com

11. If a CS receives and maintains only information that has been de-identified in accordance with the HIPAA Privacy Rule, is it a BA?

CSP is not a BA if only handles de‐identified information

28

dwt.com

Covered Customer Considerations

Understand cloud services and environment

Identify all uses of CSPs – both authorized and unauthorized

Include CSPs in risk analysis and risk management

Have BAA in place with CSP

– Verify that SLA or service agreement is consistent with HIPAA

– Address customer and CSP obligations

Understand SLA/service agreement 

– Understand capabilities and limitations of the CSP and its services

Consider due diligence and monitoring of CSP – even though the CSP is not required to respond

Encrypt, encrypt, encrypt

29

dwt.com

CSP Considerations

Conduct a risk analysis and risk management plan. Treat all PHI as subject to HIPAA, even encrypted PHI. Create plan for responding to PHI where it doesn’t belong – e.g., come into compliance with HIPAA or require removal.

Consider addressing how security responsibilities should be delegated and how customer is notified of responsibilities.

Consider how to address privacy challenges (e.g., amendment requests) if you do not access PHI.

Don’t withhold access to PHI!

30

dwt.com

What’s Not Addressed

Where breach is on cloud but not CSP’s fault, does CSP end up on HHS breach website?

Any due diligence or monitoring required in addition to BAA?

31

dwt.com

Questions

32

dwt.com

For questions …

33

Becky Williams206.757.8171

beckywilliams@dwt.com

Adam Greene202.973.4213

AdamGreene@dwt.com