HIPAA and the Cloud (Benefit Minute)
Cloud computing allows convenient on-demand network access to a shared pool of computing resources (such as networks, servers, storage and applications) that can be rapidly supplied and used with minimal management effort or service provider interaction. The computing resources are pooled to serve multiple customers and can be scaled to meet changes in demand.
There are a variety of cloud models, including:
- Private cloud – exclusive use by a single organization.
- Community cloud – use by a community of customers that have shared concerns (including security requirements and compliance considerations).
- Public cloud – open use by the general public.
- Hybrid cloud – use by two or more distinct cloud models that remain unique entities but are bound together by standardized or proprietary technology.
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA’s privacy, security and breach notification rules require safeguards for protected health information (PHI) that is created, received, maintained or transmitted by a covered entity (including a health insurer or group health plan) or a business associate.
The implementation of file sharing and collaboration tools, including tools that use cloud technology, introduce additional risks to the privacy and security of electronic PHI (ePHI). For example, access, authentication, encryption and other security controls may be disabled or left with default settings when transferred to or stored in the cloud, which can lead to unauthorized access to or disclosure of sensitive data.
Use of cloud service providers has also raised questions about whether these entities are HIPAA business associates when the cloud is used to create, receive, maintain or transmit ePHI.
In response to these questions, the Department of Health and Human Services (HHS) has provided guidance on this topic. The guidance clarifies:
- A cloud service provider will be a business associate if creating, receiving, maintaining, or transmitting ePHI on behalf of a covered entity or another business associate. Therefore a HIPAA-compliant business associate agreement must be in place. The business associate agreement will contractually require the cloud service provider to implement the requirements of the security rule and appropriately safeguard the ePHI.
- The covered entity or business associate using the cloud service provider must have a complete understanding of the cloud computing environment and conduct its own risk analysis to identify the potential threats and exposures to the confidentiality, integrity and availability of the ePHI. While any cloud model may be used, the model selected may impact the risk analysis and the risk management policies that are developed as a result of the risk analysis.
Even if a cloud service provider stores only encrypted ePHI and does not hold the decryption key (meaning that the cloud service provider cannot view the information), the cloud service provider is still a business associate because such protections alone cannot adequately safeguard the ePHI or meet all of the requirements of the security rule.
- If a cloud service provider experiences a security incident involving ePHI or a breach of unsecured ePHI, there is a requirement to report this to the covered entity or other business associate in accordance with the security rule. Even if encryption is in place, a breach may occur if the encryption is not at the level that meets HIPAA standards or if the decryption key was also breached.
- A covered entity or business associate may use a cloud service provider that stores ePHI on servers located outside of the United States as long as the requirements of the security rule are met. However, the risk analysis and risk management policies should address any additional threats or exposures that may exist, especially if the ePHI is maintained in a country where there are documented increased attempts at hacking or other malware attacks.
Risk Analysis Tool
The risks associated with use of cloud services re-enforce the importance of the risk analysis process, which is the first step in identifying and implementing safeguards to protect the confidentiality, integrity and availability of ePHI. The security rule includes an express requirement to complete this process.
HHS has developed an interactive security risk assessment tool to assist with the process that is downloadable for free. The tool asks specific questions about the activities of the covered entity or business associate and, based on the answers, provides guidance with respect to corrective action that should be taken for each item. While use of the tool is not required (and compliance is not guaranteed), it does provide a framework for performing a risk analysis.