The HIPAA Security Rule and Cloud Computing

Commentary December 16, 2017 at 12:15 AM
Share & Print

The HIPAA Security Rule regarding electronic transactions requires administrative, physical, and technical safeguards detailed under eighteen standards to ensure the confidentiality, integrity, and availability of electronic protected health information (PHI) that is maintained, used, or transmitted by a health plan or provider. Designed to be technology neutral, the Security Rule allows covered entities to devise policies, procedures, training, and implementation approaches that will work with their existing system capabilities.

The Security Rule standards are broken down into two types: required and addressable. Required standards are those that must be addressed by all covered entities in order to attain and maintain compliance with the Security Rule. Standards that are "addressable" provide some flexibility to covered entities in that if the covered entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. Or if the standard can otherwise be met, the covered entity may choose to not implement the implementation specification or any equivalent alternative measure.

The Security Rule does not expressly prohibit the use of email for sending electronic PHI. But the standards for access control, integrity, and transmission security require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against the unauthorized access to electronic PHI. The standard for transmission security also includes addressable specifications for integrity controls and encryption. The Security Rule allows for electronic PHI to be sent over an electronic open network as long as it is adequately protected.

The Security Rule makes the use of encryption an addressable implementation specification. In other words, there is no mandatory format for achieving a secure encryption. Covered entities are free to address this particular issue in any manner that best suits their particular requirements.

Physical safeguards under the Security Rule are physical measures, policies, and procedures to protect a covered entity's electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion. The standards under physical safeguards include facility access controls, workstation use, workstation security, and device and media controls.

The Security Rule does not apply to written or oral communications (they are covered under the broader PHI rule). This includes paper-to-paper faxes, video teleconferencing, and messages left on voice mail (because the information exchanged did not exist in an electronic format prior to transmission). The electronic Security Rule does apply to PHI transmitted via telephone voice response and faxback systems because they are used as input and output devices for computers.

If an individual (i.e., a subscriber or a patient) uses his or her credit or debit card to pay for health care, related costs are exempt from the Security Rule unless the individual making the payment is acting in some capacity on behalf of a covered entity.

Data stream (Image: Thinkstock)

(Image: Thinkstock)

Covered entities that allow employees to telecommute or work out of home-based offices and allow them to have access to electronic PHI must implement appropriate safeguards to protect the organization's data. The automatic logoff implementation specification is addressable. But the information access management and access control standards require the covered entity to implement policies and procedures for authorizing access to electronic PHI and technical policies and procedures to allow access only to those persons or software programs that have been appropriately granted access rights.

HIPAA Privacy and Security Rule under Cloud Computing

The U.S. Department of Health and Human Services (HHS) has issued guidance regarding the practice of using a network or remote servers hosted on the internet to store, manage and process PHI under HIPAA (Cloud Computing). The guidance confirms that cloud service providers (CSPs) are business associates under the Health Insurance Portability and Accountability Act (HIPAA) and are, therefore, must comply with the applicable provisions of HIPAA.

This is true even if the CSP processes or stores only encrypted ePHI and lacks an encryption key for the data. Lacking an encryption key does not exempt a CSP from business associate status and obligations under the HIPAA Rules. As a result, the covered entity (or business associate) and the CSP must enter into a HIPAA-compliant business associate agreement (BAA), and the CSP is both contractually liable for meeting the terms of the BAA and directly liable for compliance with the applicable requirements of the HIPAA Rules.

In cases where a CSP is providing only no-view services to a covered entity (or business associate) customer, Security Rule requirements that apply to the ePHI maintained by the CSP may be satisfied for both parties through the actions of one of the parties. In particular, where only the customer controls who is able to view the ePHI maintained by the CSP, certain access controls, such as authentication or unique user identification, may be the responsibility of the customer, while others, such as encryption, may be the responsibility of the CSP business associate. HHS advises that which access controls are to be implemented by the customer and which are to be implemented by the CSP may depend on the respective security risk management plans of the parties as well as the terms of the BAA.

HHS goes on to advise that, as a business associate, the CSP is still responsible under the Security Rule for implementing other reasonable and appropriate controls to limit access to information systems that maintain customer ePHI.. The CSP and the customer should each confirm in writing, in either the BAA or other documents, how each party will address the Security Rule requirements.

As a business associate, a CSP that offers only no-view services to a covered entity or business associate still must comply with the HIPAA breach notification requirements that apply to business associates, specifically a CSP is responsible for notifying the covered entity (or the business associate with which it has contracted) of breaches of unsecured PHI.

If the ePHI that has been breached is encrypted consistent with the HIPAA standards set forth in 45 CFR § 164.402(2) and HHS' guidance the incident falls within the breach "safe harbor" and the CSP business associate is not required to report the incident to its customer. However, if the ePHI is encrypted, but not at a level that meets the HIPAA standards or the decryption key was also breached, then the incident must be reported to its customer as a breach, unless one of the exceptions to the definition of "breach" applies.

Note: a CSP is not a business associate if it receives and maintains (e.g., to process and/or store) only information de-identified following the processes required by the Privacy Rule."


— Connect with ThinkAdvisor Life/Health on
Facebook and Twitter.

NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Related Stories

Resource Center