Healthcare providers and business associates are responsible to ensure their cloud service providers are getting the job done when it comes to meeting compliance mandates.
The need to cut costs and become as efficient as possible are good reasons why healthcare organizations are embracing cloud. But when it comes to the Health Insurance Portability and Accountability Act (HIPAA) and the management of individually identifiable health information, or protected health information (PHI), HIPAA covered entities and business associates often don’t know how to use cloud services while also remaining regulatory compliant.
Many healthcare enterprises have challenges attaining industry standards as well as government regulations. According to this story in Healthcare Informatics, “Two thirds of healthcare industry vendors report they are not prepared to comply with the Health Information Trust Alliance’s (HITRUST) healthcare data protection standards, despite ongoing concerns about cyber security as it relates to healthcare information, according to a recent survey by New York City-based audit, tax and advisory firm KPMG.”
There’s certainly no mandate from anywhere to comply with HITRUST, but the framework is a reasonable way for organizations to assess the health of their security controls.
When it comes to the mandates, the HIPAA Rules are designed to help those in healthcare to secure their Protected Health Information from being compromised. Last week the Department of Health and Human Services Office for Civil Rights (OCR) provided much anticipated guidance to HIPAA regarding how covered entities and business associates can use cloud computing and remain compliant with HIPAA regarding their electronic PHI (ePHI) while complying with regulations protecting the privacy and security of electronic protected health information (ePHI).
The new guidance helps all involved, including cloud providers, to better understand their HIPAA requirements. The focus in the guidance is on “covered entities” and “business associates.” A business associate is any subcontractor that creates, receives, maintains, or transmits PHI on behalf of another business associate, according to HHS.
“When a covered entity engages the services of a CSP [Cloud Services Provider] to create, receive, maintain, or transmit ePHI (such as to process and/or store ePHI), on its behalf, the CSP is a business associate under HIPAA. Further, when a business associate subcontracts with a CSP to create, receive, maintain, or transmit ePHI on its behalf, the CSP subcontractor itself is a business associate,” the guidance says.
This is also the case, the guidance states, even when the cloud provider encrypts the data and doesn’t have the encryption key. There was some debate on this and now the HSS guidance makes it clear: even when the cloud provider can’t see the data they are not exempt from business associate status as far as HIPAA is concerned.
HHS made it clear that both covered entities and business associates must have a business associate’s agreement with their cloud providers, because both are liable for complying to HIPAA rules. “This guidance presents key questions and answers to assist HIPAA regulated CSPs and their customers in understanding their responsibilities under the HIPAA Rules when they create, receive, maintain or transmit ePHI using cloud products and services,” the HHS said.
The good news here is that both covered entities and business associates can use a cloud service to store and process ePHI, provided that they enter into a HIPAA-compliant business associate contract or agreement with the cloud provider that will be involved with ePHI on its behalf and is otherwise HIPAA compliant. The agreement must establish the allowed used of PHI and what would trigger a disclosure should there be a breach.
Finally, the guidance made it clear that the business associate or covered entity must understand the cloud environment offered by their cloud provider, so that the they can appropriately conduct their own risk analysis and establish risk management policies. “Both covered entities and business associates must conduct risk analyses to identify and assess potential threats and vulnerabilities to the confidentiality, integrity, and availability of all ePHI they create, receive, maintain, or transmit. For example, while a covered entity or business associate may use cloud-based services of any configuration (public, hybrid, private, etc.),” the guidance says.
The long term takeaway here for covered entities and business associates isn’t only that there’s nothing holding them back from using cloud services to run and build their business – but they can’t expect to simply shift risk to their cloud providers. The HHS has made it clear that security and privacy of the ePHI is a mutual effort, and the healthcare providers are responsible to ensure their cloud service providers are getting the job done when it comes to meeting compliance mandates.
Editor’s Note: The Evident Security Platform provides an automated and continuous security and compliance monitoring solution for public cloud deployments. If you are looking to ensure that your cloud environments meet HIPAA standards, connect with one of our Cloud Solution Architects.