HIPAA Considerations for the Cloud
It’s useful to begin with a quick glossary in terminology, as we understand that legal jargon isn’t in everyone’s vocabulary. On the HHS website, you’ll often see the following terms, so let’s break them down into plain English:
- Covered Entity = Health Plan, Health Care Provider, or Health Care Clearinghouse. Essentially, any parties and businesses involved in the medical claim from inception and validating, to submission and payout.
- Business Associate = Any third-party business to a covered entity, such as a CSP, that deals with ePHI, including creating, maintaining, or transmitting it.
- Business Associate Agreement (BAA) = The agreement between the covered entity and business associate, stating that the business associate (for example the CSP) is directly liable to stay compliant to HIPAA.
HIPAA Security Rule Considerations
Any CSPs that are considered a business associate must comply with the Security Rule and its specific management of ePHI. It’s important to note that even if only encrypted storage is provided with no decryption keys, CSPs are still required to comply with HIPAA because they are still managing the data.
However, within the Security Rule, if there is full agreement of both parties under the BAA, it’s possible that areas of compliance can be satisfied from just one party’s actions.
For example, the business associate, Acme Cloud Store Inc., and the covered entity, Happy Body Healthcare, have a BAA that states that all access control responsibilities are managed by the customer. Under this agreement, Acme Cloud Store Inc. provides a service that maintains ePHI through encryption and has a strict no-view policy. Its customer, Happy Body Healthcare, uses multi-factor authentication (MFA) to fully control who can access the sensitive information.
In this example, the customer is only responsible for managing the access to ePHI. In order to satisfy the requirements of the Security Rule, Acme Cloud Store Inc. is still required to employ its own strict access policies to the infrastructure hosting the ePHI.
HIPAA Privacy Rule Considerations
According to the Security Rule, a CSP can only use or disclose ePHI as per the BAA, the Privacy Rule, or any other legal requirement. This extends to those with a no-view policy, like Acme Cloud Store Inc., who could not read the data and had no control over who accesses the information.
It’s also important to note that under the Security Rule, Acme Cloud Store Inc. must include a secure process for individuals to access, change, and receive their own ePHI. There is a fine line drawn in the Privacy Rule, as individual access and amendments to ePHI must be maintained. However, it’s imperative to remember that it is not permissible for the CSP to entirely delete the data or block access to its customers on behalf of that individual.
HIPAA Breach Notification Rule Considerations
It’s clear that notification is essential on nearly all occasions of a breach. However, there are a couple of scenarios where notifications are unnecessary.
The first is if the encrypted data that has been breached is encrypted to the standards of HIPAA. This type of breach is considered “safe harbor”, where disclosure to the customer is unneeded.
The second scenario where notification is inessential, is dependent on what is legally considered a breach. According to Cornell Law School, the definition of a breach excludes any access to (authorized or not) or use of information, which was done in good faith and not further used unlawfully. It is also not considered a breach if the unauthorized person wouldn’t have been able to retain the information. Understandably, this can create detrimental ambiguity in your processes or systems—consulting with appropriate legal counsel is highly recommended.
How to Stay HIPAA Compliant
As part of a greater effort to help aid HIPAA compliance within the cybersecurity space, the OCR aligned HIPAA with the National Institute of Standards and Technology Framework (NIST). As one of the biggest standards in the industry to be recognized, if you are already NIST compliant, it is subsequently easier to be HIPAA compliant.
To ensure that high standards and awareness are maintained, many businesses provide HIPAA compliance training and credentials. There are many consultancies that provides training, including the OCR, which offers different training modules to accommodate the wide-range of entities that must comply with HIPAA.
Trend Micro Cloud One™ – Conformity is a compliance service that helps organizations understand where HIPAA compliance affects their infrastructure and how to maintain the high standards necessary to keep the risk of breaches and consequent fines as low as possible.
Read More HERE