For healthcare organizations, HIPAA compliance will always be top of mind. It’s serious business; violations and data breaches carry serious consequences. And cloud adoption further complicates the matter. How can healthcare organizations ensure that electronic Protected Health Information (ePHI) remains appropriately protected in a third party’s infrastructure?
Updates to HIPAA are beginning to address this question. HIPAA rules now apply to both covered entities and their “business associates,” seemingly distributing the burden of compliance—and the consequences of noncompliance—a little more evenly than before. This may make less of a difference to your responsibilities than it first appears, however. Let’s examine why, and what you need to do to ensure HIPAA compliance no matter whose cloud you use.
What is a “business associate”?
The definition of “business associate” (BA) is fairly broad. According to the U.S. Department of Health & Human Services, a BA:
is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information. A “business associate” also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate.
Some debate surrounds the topic, but the language itself seems to apply clearly to include third party cloud service providers (CSPs).
For the purposes of this blog, let’s assume that third party cloud providers do fall under the definition of BA and are therefore subject to HIPAA regulations, just like covered entities. Let’s also assume that you have a clear contract in place, legally binding your cloud provider to appropriately protect your ePHI. Does this free you to entrust HIPAA compliance to your cloud provider once your data leaves your premises and enters theirs?
Do Business Associate agreements or contracts mitigate your liability in the event of a breach?
The short answer is no. HIPAA does now extend liability for noncompliance and breaches to third party BAs, giving them additional incentive to remain in compliance, but having a contract or business associate agreement with a third party cloud provider does not release covered entities from responsibility—or mandatory breach notification requirements—in the event of noncompliance or disclosure. To put it simply, your BAs have good reason to safeguard your data, but if they somehow fail to do so, you are still generally liable, as an advisory from the Katten law firm points out.
That is, Katten explains, “unless the covered entity or business associate demonstrates through a risk assessment that there is a ‘low probability that the PHI has been compromised’ or unless an exception applies.”
“End Of Year HIPAA Breach Notification Reports Due By March 1, 2014”
Covered entities or Business Associates who experienced a Breach of Unsecured Protected Health Information during the calendar year 2013 which impacted less than 500 individuals are required to report the breach to the Office of Civil Rights no later than 60 days following the end of the calendar year (March 1, 2014). This report is required by the HIPAA Breach Notification Rule.
Notifications of Breaches of Unsecured Protected Health Information involving more than 500 individuals should have been submitted to OCR within 60 days of the breach.
Failure to complete the required end of year reporting is considered a HIPAA violation and could result in significant penalties – as much as $1,500,000 per violation.
So how does cloud encryption maintain HIPAA compliance with BAs?
The most reliable way to ensure HIPAA compliance with cloud provider BAs is to apply encryption to your ePHI before it ever leaves your perimeter, and to keep the encryption keys on your premises—not with any third party. The reason for that is simple. If encrypted data is disclosed without the encryption key, it can’t be decrypted or read. It is, therefore, not truly compromised.
Even with BAs and BA agreements, then, HIPAA compliance in the cloud becomes much simpler than it appears at first glance. Encrypt before your data moves to the cloud, and keep the encryption keys. Retaining control over the protection of your data clears away the confusion of agreements, contracts, and third party liability and leaves you in the clear, just as if your data had never left your building. This control is a central tenet of CipherCloud’s Cloud Information Protection platform, and the law bears our approach out.
How do you plan to approach HIPAA compliance as it relates to BAs? Let us know in the comments.