HIPAA Breaches in the Cloud2 Oregon Incidents Reveal Omnibus Fog
Two recent breaches at Oregon Health & Science University involved the inappropriate storage of unencrypted patient information in the cloud. These incidents put a spotlight on the issue of how the HIPAA Omnibus Rule affects cloud vendor compliance.
In the two OHSU incidents, information on a total of more than 3,000 patients was inappropriately posted in unencrypted spreadsheets using cloud-based e-mail and document storage services from Google. OHSU did not have a business associate agreement with Google. But some regulatory experts say that a vendor that stores and has access to protected health information on behalf of a covered entity, even if data is not viewed by the vendor, qualifies as a business associate under HIPAA Omnibus.
And under HIPAA Omnibus, business associates are liable for HIPAA compliance and must ensure patient information is safeguarded.
OHSU Breach Details
Physicians-in-training, or residents, from two OHSU medical departments maintained the unencrypted, cloud-based spreadsheets of patients in violation of the organization's policy. "Their intent was to provide each other up-to-date information about who was admitted to the hospital under the care of their division," says an OHSU statement.
The first incident, involving residents from the Division of Plastic and Reconstructive Surgery, was discovered in May by an OHSU School of Medicine faculty member. The second, involving residents at the Department of Urology and in Kidney Transplant Services, was discovered while OHSU's information privacy and security team was investigating the first incident.
"After weeks spent reconstructing the data, the privacy and security experts discovered 3,044 patients admitted to the hospital between Jan. 1, 2011, and July 3, 2013, were affected," says the statement. OHSU is notifying all affected patients.
OHSU says data inappropriately stored in the cloud included patient name, medical record number, dates of service, age, provider's name, and diagnosis and prognosis. For 731 patients, addresses also were included. No Social Security numbers, insurance, credit card or bank information was included, nor phone numbers or dates of birth, the statement says.
"There is no evidence that the data was accessed or used by anyone who did not have a legitimate patient-care need to view the information," the statement notes. "However, the terms of service indicate the data stored with the Internet-based provider [Google] can be used for the 'purpose of operating, promoting, and improving [its] services, and to develop new ones.' OHSU has been unable to confirm with the Internet service provider that OHSU health information has not been, and will not be, used for these purposes."
The statement also says that although Google Drive and Google Mail are password-protected and have security measures and policies in place to protect information, Google "is not an OHSU business associate with a contractual agreement to use or store OHSU patient health information."
"We've been looking at the best ways to deal with cloud companies," says John Rasmussen, OHSU's chief information security officer, in an interview with HealthcareInfoSecurity. "Google doesn't give business associate agreements," which is also the case with some other cloud companies, despite the expanded definition of BAs under HIPAA Omnibus, Rasmussen says. "It's certainly a muddy area."
Google did not respond to a request for comment.
Who Is a BA?
But can a vendor be a business associate even if it lacks a formal contract with a healthcare organization?
Under the HIPAA Omnibus Rule, the definition of business associate was modified to include an organization that 'creates, receives, maintains or transmits' protected health information on behalf of a covered entity," Rachel Seeger, a spokesperson for the Department of Health and Human Services' Office for Civil Rights, which enforces HIPAA, told HealthcareInfoSecurity.
"A data storage company that has access to protected health information - whether digital or hard copy - qualifies as a business associate, even if the entity does not view the information or only does so on a random or infrequent basis," Seeger says. "Thus, document storage companies maintaining protected health information on behalf of covered entities are considered business associates, regardless of whether they actually view the information they hold."
Some privacy and security experts believe that HHS is indeed headed in the direction of classifying many cloud services providers as business associates, whether those vendors agree or not.
"From what I've heard from HHS, and more specifically OCR representatives, cloud providers will usually be considered as BAs because of their persistent possession of protected health information, and their access to the PHI," says security specialist Rebecca Herold, partner at the Compliance Helper and CEO of The Privacy Professor, a consulting firm. And that's the case even if the vendor doesn't sign a business associate agreement, she adds.
"But if employees of covered entities are taking it upon themselves to store PHI in a cloud service provider, in violation of the CE's policies, that is a completely different type of situation, and the unauthorized cloud provider will likely not be considered to be a BA," she explains.
Employees of covered entities are obligated to follow the organization's policies and procedures, she notes. "Those policies and procedures need to cover how employees can and cannot take PHI and put it into the cloud. The employee is ultimately responsible for following the CE policies, and the CE must perform appropriate due diligence to ensure they are complying," she says. "Typically you will not have an employee of a CE creating a BA relationship with some other entity that they decided to use on their own."
Still, independent security consultant Tom Walsh says that there's a good chance a reportable breach in cloud incidents like the OHSU cases could have been easily avoided.
"The interesting thing is that if the data stored in the cloud - [involving] Google or anyone else - was encrypted, then this would solve multiple issues," he says. "Google could claim it had no access to patient information [because] data is encrypted, and therefore, no BAA needed," he says. "Google would not be able to use the stored data for 'purpose of operating, promoting, and improving [its] services, and to develop new ones' if the data was encrypted."
Get The Word Out
Covered entities must educate staff members if they, in fact, have no formal business associate relationships or policies in place allowing staff to securely use the services of cloud providers, experts say.
"CEs need to provide training, and ongoing awareness, of what is and is not appropriate with regard to storing PHI outside of the areas the CE has provided," Herold says.
"We need a lot education for the healthcare staff regarding the privacy, security and risks of any business-related data stored in the cloud," Walsh says. "This includes the use of personally owned mobile devices [such as] smart phones or tablets that automatically synchronize data to the cloud. When users access company e-mail on a personally owned device, where do that message and its attachments get stored?"
Rasmussen says OHSU has re-educated all residents about the critical importance of using OHSU-approved tools for securely sharing and updating patient information. In addition, all patient information found on the cloud-based sites have been removed, according to the OHSU statement.
While OHSU has a policy against storing unencrypted PHI on the cloud, Rasmussen acknowledges that it's often difficult for residents to navigate such policies, especially when they've used cloud services to share other information with professors and other medical students.
"I don't expect residents to be experts in contracts or health data law," he says. That's why OHSU's ramped up training of its residents about approved and secure data storage is important.
In addition to providing training, CEs should give "ongoing reminders to their staff, and monitor and audit for non-compliance," Herold suggests.
Still, those steps aren't guarantees that a breach involving cloud-based services won't happen, Walsh says.
"My recommendations would be buy the commercial storage and encrypt the data using a 'strong' password to prevent unauthorized access to the data," he suggests. "Otherwise, get a signed BAA with the cloud service provider - good luck with that - to meet the modified BA definition as a result of the Omnibus Rule."
In addition to the training that OHSU is providing its staff related to the cloud, Rasmussen says his infosecurity team has other safeguards, including Internet filters, under evaluation that could be deployed to prevent PHI from going to the cloud.
Also, in the aftermath of other recent breaches at OHSU involving stolen laptops, an aggressive encryption effort is under way for mobile devices, including personally owned computing gear of physicians in private practices.
Unless encryption can be verified by OHSU, personally owned devices "will not be allowed access onto our network," he says.