Cloud computing in healthcare continues to grow
On October 7, 2016, the HHS Office for Civil Rights (OCR) released its new webpage, “Guidance on HIPAA & Cloud Computing.” Healthcare organizations are increasingly using cloud computing vendors for electronic records, billing and revenue cycle management, file sharing, backup, and a wide variety of other functions. This guidance is designed both for HIPAA-regulated entities who use cloud computing services as well as for the cloud computing vendors.
The guidance affirms that cloud computing can be done in a HIPAA compliant fashion, and offers a broad review of the requirements from the perspective of both the purchaser and the cloud computing vendor.
The guidance takes aim at some of the cloud computing industry’s strategies to avoid HIPAA compliance, and/or to persuade clients that they are not HIPAA Business Associates. For example, the guidance cites the scenario in which the cloud vendor is not capable of reading a client’s data due to encryption. In this scenario, all data on the cloud site is encrypted, and the client alone knows the encryption key. HHS asserts that even though the vendor cannot read the ePHI, the vendor is still a HIPAA Business Associate because it “creates, receives or maintains” ePHI.
The guidance also addresses the so-called “conduit exception”. The HIPAA conduit exception is a specific exception granted to entities such as the U.S. Postal Service who deliver PHI, but never look at it. Such entities are exempt, but this is a narrow exemption limited to delivery services. The guidance also asserts that vendors whose services involve “creating, receiving or maintaining” – such as a web hosting vendor – cannot claim the conduit exception. However, this guidance seems to allow an argument that vendors offering video conferencing, remote access services (e.g. LogMeIn) or online meeting services could claim the “conduit exception” if they didn’t store information. So, if the video conferencing vendor included the ability to record and store a session, and the session included PHI, this persistent storage would cause the vendor to be a Business Associate.
Covered entities and business associates alike are warned in the guidance that if they fail to obtain a HIPAA BAA with a cloud computing vendor, that they may suffer consequences. They explicitly cite their enforcement action against Oregon Health & Science University, who was hit with a $2.7 million settlement, partially because they stored information on 3000 individuals on a cloud server without first securing a HIPAA BAA.
Cloud vendors are also warned regarding HIPAA and cloud computing. OCR acknowledges that cloud vendors, such as a general purpose hosting vendor, may have no knowledge that a particular customer is a HIPAA covered entity and storing ePHI on their system. Such vendors are advised that if they discover ePHI on their system, and take action within 30 days to either become HIPAA compliant, or to terminate the customer relationship and return the ePHI, that they could likely avoid fines and penalties.
Finally, the guidance provides significant details regarding the specific requirements for a cloud vendor to attain HIPAA compliance. Essentially, cloud vendors must comply with the HIPAA Security Rule, the HIPAA Breach Notification Rule, and to the extent that they perform actions on behalf of their customer, that those actions comply with the HIPAA Privacy rule. One element for compliance is to have a comprehensive set of HIPAA Policies and Procedures. [Cloud computing vendors may be interested in Eagle’s HIPAA Policies and Procedures for Medical Cloud Computing Vendors, available in Eagle’s online store.]
