Healthcare entities and Cloud Service Providers (CSPs) have been reluctant to form business partnerships due to the uncertainty of HIPAA Privacy and Security concerns. Cloud technology was not mentioned in the original HIPAA legislation from 1996 nor included in the HITECH Act of 2009. Barring large-scale EMR outsourcing to a private cloud hosted by their vendor; healthcare organizations shied away from other CSP services. The Department of Health and Human Services had not provided any definitive guidance and healthcare providers did not have a clear understanding of the risk and compliance pitfalls.
This hasn’t stopped healthcare staff from utilizing all manner of consumer-grade cloud solutions. From Dropbox, Box and iCloud, healthcare staff sync their mobile, tablet and laptop device files to readily available solutions that are not HIPAA “compliant” nor do any of these entities have a Business Associate Agreement (BAA) with the overall healthcare provider. This is a huge compliance risk to healthcare organizations. There will be a large cost associated with the move toward CSPs who will sign a Business Associates Agreement (BAA) since many consumer solutions will not agree to the privacy and security stipulations of HIPAA.
Recently HHS released their Guidance on HIPAA & Cloud Computing. Providing the basic risk and compliance building blocks so healthcare entities can start making appropriate decisions with an eye toward managing their compliance and risk obligations.
I had the opportunity to review the new guidance document with the Connected Health Initiative (CHI). This group is heavily involved in the promotion of innovation in mHealth, telehealth and provides a group of like-minded companies to discuss and navigate the regulatory waters in healthcare.
The results of meeting can be distilled to a few points:
- A HIPAA-covered entity or business associate can use a cloud service provider (CSP) to store or process electronic protected health information (ePHI).
- A CSPs that store encrypted ePHI of a covered entity and do not hold a decryption key for the data are still considered business associates. To be in compliance with HIPAA the CSP and Covered Entity must execute a Business Associates Agreement (BAA).
- The HHS Office of Civil Rights (OCR) has signaled there will be flexibility around some applications of HIPAA when it comes to de-identified vs encrypted data. De-identified data is often used for medical research or educational purposes.
- There is no restriction in HIPAA to block covered entities or their business associates from using a CSP to store their Protected Health Information (PHI) on international servers.
Personally I am concerned about Point 4 and the permissibly of CSPs to store ePHI on servers outside the U.S. The issues with intellectual property rights and the potential issues with data integrity would be a red-flag in the risk management department in my view. If a healthcare provider does decide to use a CSP that does store the PHI outside the U.S. I would have a very strong contract with the appropriate language in place to protect that sensitive data.
Let me know your thoughts in the comments below.