hipaa in the public cloud: the rules have been set - rightscale compute 2013

32
april25-26 sanfrancisco cloud success starts here HIPAA in Public Cloud The Rules Have Been Set

Upload: rightscale

Post on 13-May-2015

1.247 views

Category:

Technology


3 download

DESCRIPTION

Speaker: Phil Cox - Director of Security and Compliance, RightScale On January 25, 2013, the U.S. Department of Health and Human Services (HHS) released the final implementing regulations for many provisions of the HITECH Act (Health Insurance Technology for Economic and Clinical Health Act), often referred to as the Omnibus Rule. Many organizations have based their architectures and implementations on previous proposed and interim regulations, some of which are no longer valid. Anyone falling under HIPAA requirements is required to meet these new definitive compliance requirements by September 23, 2013. This talk will discuss the parts of the Omnibus rule that affect the cloud landscape, and how you can successfully deploy a HIPAA-compliant application in the public cloud.

TRANSCRIPT

Page 1: HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013

april25-26 sanfrancisco

cloud success starts here

HIPAA in Public Cloud

The Rules Have Been Set

Page 2: HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013

# 2# 2

#rightscalecompute

# 2

Introduction• On January 25, 2013, HHS released the Omnibus Rule which

finalized all the former HIPAA/HITECH interim rules

• Most of this session will be about HIPAA/HITEC and not necessarily cloud (if you don’t understand the former, you’ll have no clue how to applies it to the latter)

Page 3: HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013

# 3

#rightscalecompute

My Core Message for Today:

HIPPA compliance in public cloud is about

governance

Page 4: HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013

# 4# 4

#rightscalecompute

# 4

Agenda• Quick HIPPA level set

• Main changes

• Wrap-up

Page 5: HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013

# 5# 5

#rightscalecompute

# 5

About HIPAA• HIPAA is the Health Insurance Portability and

Accountability Act of 1996• Title II: Preventing Health Care Fraud and Abuse;

Administrative Simplification; Medical Liability Reform• Defines policies, procedures and guidelines for maintaining the

privacy and security of individually identifiable health

• 3 Main “Rules” from the Administrative Simplification Rules• Privacy Rule• Security Rule• Breach Notification Rule

Page 6: HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013

# 6# 6

#rightscalecompute

# 6

The “3 Main Rules”• They apply to covered entities and business associates

• Privacy: Impose controls around preventing unauthorized disclosure of protected healthcare information in any form

• Security: Purpose is to prevent unauthorized electronic access to protected healthcare information

• Breach Notification: Purpose is to ensure timely notification of affected parties in event of a failure in the above 2 controls

Page 7: HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013

# 7# 7

#rightscalecompute

# 7

About HITECH• HITECH Act, part of the American Recovery and

Reinvestment Act of 2009• Made law February 17, 2009 (13 years after HIPAA)

• Is the “enforcement” rule that give HIPAA teeth

Page 8: HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013

# 8# 8

#rightscalecompute

# 8

Important Terms• Covered Entity:

• A health plan, A health care clearinghouse, A health care provider who transmits any health information in electronic form in connection with a transaction

• Business Associate: Operates on behalf of a CE• Think: function or activity involving the use or disclosure of individually

identifiable health information: claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, etc.

• Protected Healthcare Information• Think Individually identifiable health information:• Any demographic information related to the condition, provision or

payment of health care to an individual• Identifies the individual

Page 9: HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013

# 9# 9

#rightscalecompute

# 9

Privacy Rule Primer• Requires appropriate safeguards to protect the privacy

of personal health information• Sets limits and conditions on the uses and

disclosures that may be made of such information without patient authorization

• All about authorized disclosure

Page 10: HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013

# 10# 10

#rightscalecompute

# 10

Security Rule Primer• Maintain reasonable and appropriate administrative,

technical, and physical safeguards for protecting e-PHI• Specifically:

• Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;

• Identify and protect against reasonably anticipated threats to the security or integrity of the information;

• Protect against reasonably anticipated, impermissible uses or disclosures; and

• Ensure compliance by their workforce

• Required and Addressable Implementation Specifications• “Required" implementation specifications must be implemented• “Addressable" permits entities to adopt an alternative measure

that achieves the purpose of the standard

Page 11: HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013

# 11# 11

#rightscalecompute

# 11

Breach Notification Primer• Notification required if breach involved unsecured

protected health information• Unsecured is PHI that has not been rendered unusable,

unreadable, or indecipherable to unauthorized individuals

• Covered entities must notify• Affected individuals• Prominent media outlets serving the State or jurisdiction if >500

residents• Notify HSS within 60 days (if <500 can do annually)

• Business Associate must notify the covered entity (w/in 60 days)

• Burden of proof• All required notifications have been provided –OR–• Disclosure did not constitute a breach

Page 12: HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013

# 12

#rightscalecompute

Subliminal Messaging:

HIPPA compliance in public cloud is about

governance

Page 13: HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013

# 13# 13

#rightscalecompute

# 13

Main Changes• Business Associates

• State law preemption

• Use of PHI in Marketing

• Application of HIPAA to hybrid entities

• Breach notification

Page 14: HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013

# 14# 14

#rightscalecompute

# 14

Business Associate• By law, the HIPAA Privacy Rule applied only to covered

entities

• The Privacy Rule allows covered providers and health plans to disclose protected health information to these “business associates” if the providers or plans obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule.

Page 15: HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013

# 15# 15

#rightscalecompute

# 15

Who is a Business Associate?• Those who will create, receive, maintain, or transmit

protected health information for a covered entity • Generally a person who performs functions or activities on behalf

of, or certain services for, a covered entity that involve the use or disclosure of protected health information.

• New: Specific call out for• Patient Safety Organizations• Health Information Organizations (HIO), E-Prescribing Gateways,

and Other Persons That Facilitate Data Transmission; as Well as Vendors of Personal Health Records

• Subcontractors {recursive}

Page 16: HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013

# 16# 16

#rightscalecompute

# 16

Conduit and Incidental exceptions• With persons or organizations (e.g., janitorial service or

electrician) whose functions or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be incidental, if at all.

• With a person or organization that acts merely as a conduit for protected health information, for example, the US Postal Service, certain private couriers, and their electronic equivalents.

Page 17: HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013

# 17# 17

#rightscalecompute

# 17

Conduit exception clarification• ... We note that the conduit exception is limited to

transmission services (whether digital or hard copy)… In contrast, an entity that maintains protected health information on behalf of a covered entity is a business associate and not a conduit, even if the entity does not actually view the protected health information…the difference between the two situations is the transient versus persistent nature of that opportunity. For example, a data storage company that has access to protected health information (whether digital or hard copy) qualifies as a business associate, even if the entity does not view the information or only does so on a random or infrequent basis. (emphasis added)

Page 18: HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013

# 18# 18

#rightscalecompute

# 18

BAA: Is it Optional?• Per Page 5591• Comment: One commenter suggested that business

associate agreements should be an ‘‘addressable’’ requirement under the Security Rule.

• Response: The HITECH Act does not remove the requirements for business associate agreements under the HIPAA Rules. Therefore, we decline to make the execution of business associate agreements an ‘‘addressable’’ requirement under the Security Rule.

• If you decide to forego the BAA, make an informed decision …

Page 19: HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013

# 19# 19

#rightscalecompute

# 19

Direct Liability & Sub-Contractors• Modified to implement the HITECH Act’s provisions extending

direct liability for compliance to business associates• Now directly liable for civil money penalties

• A subcontractor that creates, receives, maintains, or transmits protected health information on behalf of a business associate, including with respect to personal health record functions, is a HIPAA business associate• BA must have a BAA with subcontractors (just another BA). This

is recursive.

Page 20: HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013

# 20# 20

#rightscalecompute

# 20

Status on our cloud providers and BAA• The good news is that several of our cloud providers will

sign a BAA.

• Azure: Will sign a BAA• Datapipe: On a case-by-case basis• AWS: No public statement

• We have heard from at least one customer that they were able to get AWS to sign a BAA

• GCE: Not at this time• Rackspace: Not at this time• Softlayer: Not at this time

Page 21: HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013

# 21# 21

#rightscalecompute

# 21

RightScale and BAA• We do not have access to ePHI• If we are invited to an account, we may have

“incidental” access• RightLink runs on the instance, it does not interact with

the electronic personal health information (ePHI) as part of its normal operations• You don’t sign a BAA with your AV vendor

• Our understanding is that RightScale is not a Business Associate

Page 22: HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013

# 22# 22

#rightscalecompute

# 22

Preemption of State Law• HIPAA privacy requirements are to supersede only

contrary provisions of State law

• State law supersedes where the provision of State law provides more stringent privacy protections than the HIPAA Privacy Rule

Page 23: HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013

# 23# 23

#rightscalecompute

# 23

Marketing use of PHI• Marketing communications that involve financial

remuneration

• Covered entity must obtain a valid authorization from the individual before using or disclosing

• Authorization must disclose the fact that the covered entity is receiving financial remuneration from a third party

Page 24: HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013

# 24# 24

#rightscalecompute

# 24

Hybrid entities• Covered entity itself, and not merely the health

care component

• Responsible for business associate arrangements and other organizational requirements

• Hybrid entities may need to execute legal contracts and conduct other organizational matters at the level of the legal entity rather than at the level of the health care component

Page 25: HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013

# 25# 25

#rightscalecompute

# 25

Changes to Breach Notification Rule• Clarified the term “Breach”

• Basically guilty until proven innocent

• Changed “risk of harm” to “low probability PHI compromised”• Means you have to do a risk assessment. Can you?

• Changed ‘‘unauthorized individuals’’ to ‘‘unauthorized persons.’’

• How does the BNR affect you?• You need to be watching (remember willful neglect?)• Review is important• Need to have a mechanism for notification• Business Associates need to notify Covered Entities

Page 26: HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013

# 26# 26

#rightscalecompute

# 26

Consequences• Fines• Caps on types, not totals

Violation Category Each Violation Annual cap on identical violations

Did not know $100-$50,000 $1.5m

Reasonable Cause $1,000-$50,000 $1.5m

Willful Neglect - Corrected $10,000-$50,000 $1.5m

Willful Neglect – Not Corrected $50,000 $1.5m

Page 27: HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013

# 27# 27

#rightscalecompute

# 27

Time Frames• Passed January 25th, 2013• In effect March 26, 2013• Compliance date is September 23, 2013

• 180 days: “In addition, to make clear to the industry our expectation that going forward we will provide a 180-day compliance date for future modifications to the HIPAA Rules …”

Page 28: HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013

# 28

#rightscalecompute

Subliminal Messaging:

HIPPA compliance in public cloud is about

governance

Page 29: HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013

# 29# 29

#rightscalecompute

# 29

Conclusion• Rules are set, you should read the Omnibus Rule• Managing your Business Associates are critical• If you are a Business Associate, you now have direct

liability• You are responsible for your subcontractors and they for their

subcontractors

• Good security, as always, will cover most of what you need.

Page 30: HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013

# 30# 30

#rightscalecompute

# 30

Can using RightScale help?• RightScale’s management features can be helpful as

companies work to comply with HIPAA• Features such as:

• Monitoring• Access control• Audit trails• ServerTemplate

• While not “HIPAA compliance features” can be tools that could help customers implement their HIPAA procedures.

Page 31: HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013

april25-26 sanfrancisco

cloud success starts here

Page 32: HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013

# 32# 32

#rightscalecompute

# 32

My Contact Info• Email: [email protected]

• Twitter: sec_prof

• Google+: [email protected]