Before cloud services can be used by healthcare organizations for storing or processing protected health information (PHI) or for creating web-based applications that collect, store, maintain, or transmit PHI, covered entities must ensure the services are secure.
Even when a cloud computing platform provider has HIPAA certification, or claims their service is HIPAA-compliant or supports HIPAA compliance, the platform cannot be used in conjunction with ePHI until a risk analysis – See 45 CFR §§ 164.308(a)(1)(ii)(A) – has been performed.
A risk analysis is an essential element of HIPAA compliance for cloud computing platforms. After performing a risk analysis, a covered entity must establish risk management policies in relation to the service – 45 CFR §§ 164.308(a)(1)(ii)(B). Any risks identified must be managed and reduced to a reasonable and appropriate level.
It would not be possible to perform a comprehensive, HIPAA-compliant risk analysis unless the covered entity fully understands the cloud computing environment and the service being offered by the platform provider.
Cloud Service Providers are HIPAA Business Associates
A HIPAA business associate is any person or entity who performs functions on behalf of a covered entity, or offers services to a covered entity that involve access being provided to protected health information (PHI).
The HIPAA definition of business associate was modified by the HIPAA Omnibus Rule to include any entity that “creates, receives, maintains, or transmits” PHI. The latter two clearly apply to providers of cloud computing platforms.
Consequently, a covered entity must obtain a signed business associate agreement (BAA) from the cloud platform provider. The BAA must be obtained from the cloud platform provider before any PHI is uploaded to the platform. A BAA must still be obtained even if the platform is only used to store encrypted ePHI, even if the key to unlock the encryption is not given to the platform provider. The only exception would be when the cloud platform is only used to store, process, maintain or transmit de-identified ePHI.
The BAA is a contract between a covered entity and a service provider. The BAA must establish the allowable uses and disclosures of PHI, state that appropriate safeguards must be implemented to prevent unauthorized use or disclosure of ePHI, and explain all elements of HIPAA Rules that apply to the platform provider. Details of the contents of a HIPAA-compliant BAA can be obtained from the HHS on this link.
Cloud computing platform providers and cloud data storage companies that have access to PHI can be fined for failing to comply with HIPAA Rules, even if the service provider does not view any data uploaded to the platform. Not all cloud service providers will therefore be willing to sign a BAA.
A BAA Will Not Make a Covered Entity HIPAA Compliant
Simply obtaining a BAA for a cloud computing platform will not ensure a covered entity is compliant with HIPAA Rules. HIPAA Rules can still be violated, even with a BAA in place. This is because no cloud service can be truly HIPAA compliant by itself. HIPAA compliance will depend on how the platform is used.
For example, Microsoft will sign a BAA for its Azure platform; but it is the responsibility of the covered entity to use the platform in a HIPAA-compliant manner. If a covered entity misconfigures or fails to apply appropriate access controls, it would be the covered entity that is in violation of HIPAA Rules, not Microsoft. As Microsoft explains, “By offering a BAA, Microsoft helps support your HIPAA compliance, but using Microsoft services does not on its own achieve it. Your organization is responsible for ensuring that you have an adequate compliance program and internal processes in place, and that your particular use of Microsoft services aligns with HIPAA and the HITECH Act.”
Penalties for Cloud-Related HIPAA Violations
The Department of Health and Human Services’ Office for Civil Rights has already settled cases with HIPAA-covered entities that have failed to obtain business associate agreements before uploading PHI to the cloud, as well as for risk analysis and risk management failures.
St. Elizabeth’s Medical Center in Brighton, Mass agreed to settle its case with OCR in 2015 for $218,400 for potential violations of the HIPAA Security Rule after PHI was uploaded to a document sharing service, without first assessing the risks of using that service.
Phoenix Cardiac Surgery also agreed to settle a case with OCR for failing to obtain a business associate agreement from a vendor of an Internet-based calendar and email service prior to using the service in conjunction with PHI. The case was settled for $100,000.
In 2016, OCR settled a case with Oregon Health & Science University for $2.7 million after it was discovered ePHI was being stored in the cloud without first obtaining a HIPAA-compliant business associate agreement.
HIPAA Compliant Cloud Computing Platforms
Both Amazon’s AWS and Microsoft’s Azure platforms can be used by HIPAA-covered entities. Both have all the necessary privacy and security protections in place to satisfy HIPAA requirements, and Amazon and Microsoft will sign BAAs with healthcare providers and agree to comply with HIPAA Rules.
AWS has long been the leading cloud service provider, although Microsoft appears to be catching up. If you are unsure of the best cloud computing platform provider to use, you can find out more information in this comparison of Azure and AWS.
Cloud storage companies that support HIPAA-compliance and can be used by HIPAA-covered entities for storing ePHI (after a BAA has been obtained) include Box, Carbonite, Dropbox, Google Drive, and Microsoft OneDrive.
The post HIPAA Compliance and Cloud Computing Platforms appeared first on HIPAA Journal.