Cloud Computing Compliance IssuesWorking Out Security Details with Business Associates
Under the HIPAA Omnibus Rule, business associates, including many cloud computing services providers, are now directly liable for HIPAA compliance. That means business associate agreements need to be in place and safeguards for protecting data spelled out. But getting those details into contracts with cloud vendors isn't always easy.
In some cases, tweaking existing contracts between covered entities and cloud providers might prove sufficient. But in other instances involving cloud vendors that weren't previously considered business associates, detailed agreements may need to be developed from scratch. And that could prove problematic if the vendor resists being labeled as a business associate.
The HIPAA Omnibus Rule spells out a new, broader definition of a business associate as "an entity that creates, receives, maintains or transmits protected health information for a function or regulated activity," says attorney Stephen Wu, a partner at Cooke Kobrick & Wu LLP. As a result, many cloud vendors are business associates that now must comply with HIPAA, he points out.
"There are lots of vendors out there who are trying to say, 'Well, we've never been a business associate in the past; we don't think that we are a business associate," Wu says. "In the process of renewing contracts or entering into new sales contracts ... people upstream are saying, 'You are a business associate; we want you to sign this business associate agreement.' And the vendor is trying to say, 'Well, I don't think I want to have that compliance overhead; I don't want to sign that business associate agreement.'"
Get It in Writing
Hospitals, clinics, health plans and other covered entities that determine a cloud vendor is, indeed, a business associate, need to make certain they have a business associate agreement in place or risk non-compliance with HIPAA Omnibus.
"In many ways, a business associate agreement with a cloud services provider is really no different from a BAA with any other business associate," says independent security consultant Tom Walsh. "Regardless of the service provided to the covered entity, knowing exactly what protected health information is being processed or stored by the BA and knowing where the data goes from inception to disposal is the key. If the CE and the BA aren't in sync from this perspective, the chances for a breach of PHI can increase."
Walsh says covered entities should, among other things, make certain that their BAs are conducting an ongoing risk analysis and sharing proof of HIPAA compliance.
It's those kinds of security practice details that are prompting a lot of heavy negotiations between covered entities and cloud providers, says privacy and security attorney Gerard Stegmaier of Wilson Sonsini Goodrich & Rosati.
"Virtually every single enterprise deal slows down to a halt with privacy and security," he says. "There's a lot of haggling over indemnification - who pays if something goes wrong."
For instance, some cloud computing vendors, such as software-as-a-service providers, want to offer a one-size-fits-all solution with little negotiations, while some covered entities "have 500 pages of security and privacy controls" they want added to their business associate agreements in light of HIPAA Omnibus, Stegmaier says.
"If you're a cloud provider, it's not easy to decide what level of protection" is needed for a particular customer's data, he says. "The obstacle for many cloud providers is that they don't have visibility into the data because that would be a privacy concern," he notes. So the degree of protection needed is often difficult to specify when covered entities and business associates disagree.
"There's been enormous pushback from some cloud providers who are telling customers, 'you won't give us PHI and we will not maintain PHI,'" says Willy Leichter, global director of cloud security at CipherCloud, which offers security products for the cloud.
Some cloud providers spooked by HIPAA Omnibus are questioning whether the amount of revenue they get from serving a healthcare client is worth the gamble of a HIPAA breach, Leichter says. Under HIPAA Omnibus, business associates, including cloud vendors, can be liable for HIPAA non-compliance and breaches, with enforcement penalties from Department of Health and Human Services ranging up to $1.5 million per violation.
Even when cloud providers give concessions about the steps they're willing to take to safeguard health data, many are looking for contractual loopholes when it comes to liability, Leichter contends.
For instance, "many cloud providers will say they will provide encryption, but will not agree to liability," he says.
One way of handling that issue is for covered entities themselves to deploy persistent encryption at the data level, so that data is encrypted in transit and at rest, with the covered entity holding the key, Leichter suggests. This encryption helps protect data downstream as it flows to business associates, including cloud providers, he says.
Encrypting data that's handled by a cloud services provider raises the question of whether the provider meet the definition of a business associate, Walsh points out.
"The key factor is the persistent access to PHI. If the PHI stored in the cloud is encrypted and there is no way the BA could ever access that data, one may argue that the cloud service provider is not a BA because they do not perform a 'HIPAA-related transaction' on the behalf of the CE and they have no access to PHI," he says. "If the data is encrypted and the cloud provider simply stores the data, where contact with PHI would be incidental, the cloud services provider may not be a BA."
If a cloud vendor holds the encryption key to a healthcare client's data, the vendor is clearly a business associate under HIPAA Omnibus, says Natalie Mosallam, chief health IT counsel at Verizon, which offers hosting and other cloud services to healthcare providers. However, if a cloud vendor does not hold the key to a healthcare client's encrypted data, "that's a gray area" under HIPAA Omnibus in terms of whether the cloud provider is a BA, she says. In either case, though, Verizon will generally sign a business associate agreement with a client who requests it, she says.
Steps To Take
Walsh says key steps that covered entities should consider to ensure their cloud providers are compliant under the HIPAA Omnibus Rule include:
- Making sure the BA is fully aware of the new rule's requirements and is prepared to meet all of them. "In particular, this means to be in compliant with the HIPAA Security Rule."
- Vetting the cloud provider before signing a contract. "Convince yourself that the BA could pass an OCR [HHS Office for Civil Rights] HIPAA compliance audit whether it was conducted as an extension of an audit of the covered entity, or an independent evaluation and validation of the safeguards and controls implemented by the BA," he says.
- Ensuring the cloud services provider performs an ongoing risk analysis and asking to see the results or proof of HIPAA compliance. "Obtain periodic assurance, for example an annual third-party evaluation, that the cloud provider is compliant," he says.
"With the new Omnibus requirements for BAs, approaching the relationship between the covered entity and the BA from an OCR audit standpoint can be helpful," Walsh says. "Addressing the 'three Ps' - perception, policy, and practice - within both organizations should help ensure that all requirements are being sufficiently addressed."
Several cloud services providers did not reply to requests for comment for this story.
But cloud-based electronic health record vendor athenahealth acknowledges it's clearly a business associate. And it's claims clearinghouse unit has always qualified as a HIPAA covered entity.
As a result of HIPAA Omnibus, the company is updating its business associate agreements to reflect changes in the breach notification rule as well as the company's relationships with subcontractors, who are also now liable for HIPAA compliance as well, says Megan Marshall, the company's senior counsel. "We've always had business associate agreements ... but with the final rule, we needed updates," she says.