If you use a cloud service, it should be your business associate. If they refuse to sign a business associate agreement, don’t use the cloud service.
– David S. Holtzman of the Health Information Privacy Division of OCR during a speech at the Health Care Compliance Association’s 16th Annual Compliance Institute.
The OCR, Office of Civil Rights, is the federal enforcer of HIPAA/HITECH. This definitive statement straight from the governing body puts to rest the question about whether or not cloud providers should be considered business associates for covered entities in the healthcare industry, as well as the question of whether a business associate agreement is required or not.
Holtzman’s speech included a specific example of a recent HIPAA violation involving the Phoenix Cardiac Surgery physician practice. Protected health information (PHI) was found posted on an Internet-based calendar, openly available to the public. The practice was using a public cloud-based application that did not have any privacy or security controls.
The lessons learned, according to Holtzman, include the physician’s lack of security and privacy controls, as well as the failure to consider cloud providers to be business associates and sign a business associate agreement (BAA).
Why is it imperative to sign a BAA with a HIPAA cloud provider, as a healthcare organization concerned about PHI security and HIPAA compliance?
Who has access to data and rights to your data should be clarified in the BAA with your cloud provider – some cloud providers may include provisions in your contract that give them ownership and control of your data while hosted in their environment. Loss of ownership and control may mean your PHI can be left vulnerable to a breach.
HIPAA security standards apply to covered entities within the United States; if your data is being hosted overseas, the same privacy and security laws may not apply. Know where your data lives and assess the physical, logical and network security of the data center or hosting facility. Read more about Data Center Security and Secure Hosting.
A clause in your BAA should address breach notification in the event of a data leak – if your cloud provider is aware of a breach, they should have a plan in place that outlines a timeline of notifying the covered entity and their next steps. The OCR requires multiple documents within ten days of a breach – check that your cloud provider is aware of and has the information or ability to help you collect and/or create those documents.
Security and Privacy Controls
Does your cloud provider have documented policies and procedures in place that include employee training on how to securely handle PHI? The obligations and responsibilities of the cloud provider should be outlined in your BAA clearly.
Protocol After Termination
After contract termination with a cloud provider, the terms of data destruction and/or how to return the data to the covered entity should be addressed. Keeping copies of sensitive information within your organization is key to maintaining the data confidentiality and access limitation.
The OCR’s HIPAA audit pilot program launched late last year was intended to identify areas of improvement for covered entities when it comes to data security. With this field research, the OCR can provide more useful guidelines for other healthcare organizations, including the necessity of signing of a BAA with cloud vendors.
HIPAA Audits Wrapping Up at Year’s End as Federal Funding Winds Down – Health Law Resource Center, Bloomberg BNA