HIPAA Compliance in the Cloud: Who’s Responsible?

The widespread adoption of cloud solutions within organizations has transformed the way we work. All around us, companies are cutting ties with legacy software systems and turning to online ‘hosted’ alternatives, such as SaaS (Software as a Service), PaaS (Platform as a Service) or IaaS (Infrastructure as a Service). One report estimates 83% of enterprise workloads will be in the cloud by 2020.

When you consider the benefits of cloud-based solutions over desktop software, it's clear to see why such growth is occurring; improved efficiency, mobility, cost reduction, scalability from virtualization as well as round-the-clock support are all driving forces behind cloud growth. The quest for ‘digital transformation’ more generally within enterprises is also a major factor driving the rush to the cloud.

However, cloud computing also brings with it a number of concerns. Not least, security and compliance. For companies operating in the healthcare sector, which accounts for nearly one fifth of the US economy, these concerns are intensified due to the Health Insurance Portability and Accountability Act (HIPAA) legislation that mandates data privacy and security provisions for safeguarding what is known as ‘protected health information’ or PHI.

This applies to both healthcare organizations, including providers and payers (classed as covered entities) as well as third-party vendors of those covered entities, (known as business associates) who perform certain functions for, or on behalf of, a covered entity that involves creating, receiving, maintaining, or transmitting PHI. 

For example, a cloud services provider (CSP) that is involved in creating, receiving, maintaining, or transmitting PHI for a covered entity - be it mere data storage, or a cloud fax service or a complete software solution such as a hosted electronic medical record system - would almost certainly be considered a business associate under HIPAA, and this leads to some major questions around responsibility. 

In short, cloud compliance is important, although it does not have to be complicated. In addition to making sure their own IT infrastructure is watertight, healthcare organizations also need to ensure that third-parties are equally robust with regards to security and compliance - after all, a chain is only as strong as its weakest link

HIPAA compliance in the cloud
In recognition of the grey areas surrounding HIPAA in the cloud, a couple of years back the US Department of Health and Human Services (HHS) - the agency that sets the HIPAA rules - released detailed guidance on cloud computing to help covered entities and CSPs maintain HIPAA complaint relationships. The guidance set out five critical steps that parties must adhere to:

  1. Sign a Business Associate Agreement - This requires the business associate to appropriately safeguard PHI, amongst other things.
  2. Conduct a HIPAA Security Risk Analysis - The covered entity or (business associate) that engages a CSP must thoroughly vet, and document, the cloud computing environment and security solutions offered by the CSP as part of their risk management policies.
  3. Comply with the HIPAA Privacy Rule - A business associate may only use and disclose PHI as permitted by the BAA and the HIPAA Privacy Rule, or as otherwise required by law.  
  4. Implement HIPAA Security Rule safeguards - A business associate must comply with the applicable standards and implementation specifications of the security rule with respect to PHI. 
  5. Comply with the HIPAA Breach Notification Rule – Covered entities and business associates are directly liable if they fail to safeguard PHI in accordance with the security rule, and a cloud service provider is obligated to notify the covered entity of which it is a business associate upon discovering that a data breach has occurred.

There exists one exception to this rule—in the example above, if the missing device had been properly encrypted such that there was a “low probability” that the data would be accessible or decipherable by persons unauthorized to view the data, in that case the breach would not need to be reported under the ‘Safe Harbor’ provisions of the Breach Notification Rule.

Essentially, without a Business Associate Agreement in place with those third party vendors with whom they share PHI, covered entities are leaving themselves exposed to significant risk of compliance violations.

Historically, some cloud service providers were able to absolve themselves from any HIPAA responsibilities by claiming the ‘Conduit Exception Rule,’ which applies to any entity that simply transports or transmits PHI, but does not have regular access to it. This exception would certainly apply to postal services, couriers and internet service providers, for example. But that exception does not apply CSPs who store or maintain PHI on a ‘more than temporary basis.’ 

When it rains it pours
Data breaches are costly, both in monetary terms and because of the long-lasting reputational damage a breach can have on an organization. Customer trust can take a lifetime to gain, and just a second to lose, and it’s often these hidden costs that take the biggest toll. 

A HIPAA breach specifically can be just as damaging, with fines ranging from $100 to $50,000 per violation or record, up to a maximum of $1.5 million per year for each violation. To make matters worse, all HIPAA breaches are listed forever on the Breach Portal, or “Wall of Shame“ as it is more commonly known, maintained by the Department of Health and Human Services Office for Civil Rights, which is responsible for compliance enforcement.  This list is essentially a public record of all HIPAA breaches affecting 500 or more individuals. Even worse, certain HIPAA violations can even lead to criminal referrals.

For healthcare providers and business associates, the benefits of the cloud are impossible to ignore. In order to take advantage of cloud services while complying with HIPAA regulations, all stakeholders must ensure security and privacy are top priorities. Working with a good cloud service provider can offer many advantages, economic and otherwise, but this should never come at the expense of patient privacy. 

What’s Hot on Infosecurity Magazine?