HIPAA Hits the Cloud
New guidance from the Office of Civil Rights makes clear: HIPAA’s privacy protections extend to cloud providers, too.
The rise of cloud service providers in recent years has been a boon for the healthcare industry. Tools like hosted electronic health record systems have allowed care providers to enjoy the benefits and efficiency of powerful software applications without having to invest in expensive servers and networking gear – and the staff to support them.
But cloud has also raised tricky questions in the heavily regulated healthcare industry. Chief among them: what is the status of cloud providers and the data they store? Are cloud providers simply “business associates” of their healthcare industry customers – no different than the MRI providers or billing firms? And what about providers like DropBox that offer generic cloud-based storage, not services specific to the healthcare sector?
Well, when it comes to data privacy and the healthcare industry, there’s no such thing as “washing,” according to new guidance from the Department of Health and Human Services (HHS) Office of Civil Rights (OCR). In fact, all cloud service providers who store patient health information (PHI) are considered “business associates” under the HIPAA law and are bound by the same regulations as other companies that handle protected health data, OCR said.
The folks over at Hogan Lovells Office of Data Protection unpack the new guidance in a blog post. As the post makes clear, OCR is asking organizations covered by the HIPAA law to assess their relationships with cloud providers – whether they provide complex, hosted applications or simple cloud-based data storage. If a provider stores PHI, then it is a covered business associate of the HIPAA-covered entity and will need a business associate agreement (BAA) that spells out how PHI will be protected.
And that’s true even if a cloud provider cannot access the PHI that it stores. In other words, even secure hosted storage providers, which store encrypted data on behalf of customers but lack the key to decrypt it, are considered business associates of HIPAA-covered entities and need a BAA.
Important for the increasingly fragmented environments at many health providers: mobile devices and their data are bound by this guidance, also. Cloud providers leveraged by mobile device (or tablet) apps are covered by the new guidance and HIPAA-covered entities should have business associate agreements in place with those providers, also, if they store or have access to PHI. The agency has already provided guidance to mobile application developers about how to handle electronic PHI. The cloud guidance just completes the picture.
The new guidance is timely. Cloud-based services have already been the subject of data breaches affecting patient health information and fines related to HIPAA violations. In July, Oregon Health & Science University (OHSU) agreed to a settlement agreement and paid $2,700,000 in fines for violations of HIPAA’s Privacy and Security Rules. In part, those fines stemmed from a breach of its unsecured electronic protected health information (ePHI) system resulting from storing ePHI at an internet-based service provider without a business associate agreement.
Also, in September, 2015, a leak of patient health information through a cloud-based file-sharing platform contributed to an almost quarter million dollar fine levied against a Boston’s St. Elizabeth’s Medical Center for violating HIPAA. OCR announced a settlement with St. Elizabeth's with the hospital agreeing to pay penalties totaling $218,000 stemming from a November, 2012 complaint. As the HIPAA data protection requirements continue to broaden to cover more entities, business associates of healthcare organizations will be have a new challenge: bolster their protections of ePHI or be face similar fines.