HIPAA and the Cloud: Understanding HIPAA Compliance When Outsourcing to a Cloud Service Provider
Updated: Sep 26, 2018
To cloud, or not to cloud? That is the big question for many in healthcare, whether a small practitioner, a business associate, or a sprawling healthcare network. Outsourcing healthcare data storage and processing obligations to a cloud entity can be a tremendous benefit, offloading infrastructure costs, maintenance practices, scalability management, bandwidth planning, disaster recovery, security compliance, etc. But can the headache and legality of HIPAA compliance be transferred to the cloud service provider?
The View from the Department of Health and Human Services (HHS)
Do compliance obligations shift from the healthcare provider to the cloud service provider (CSP) with the right approach? First, let’s review HHS definitions. If the CSP creates, receives, maintains, or transmits electronic protected health information (ePHI) on behalf of another, it is referred to as a business associate (BA). According to the HHS, both the healthcare provider AND the BA/CSP have combined obligations and should be bound together by a legal contract called a Business Associate Agreement (BAA). The HHS says that “this is true even if the CSP processes or stores only encrypted ePHI and lacks an encryption key for the data. Lacking an encryption key does not exempt a CSP from business associate status and obligations under the HIPAA rules”. To reiterate, the CSP is both contractually liable for meeting the terms of the business associate agreement and directly liable for compliance with the applicable requirements of HIPAA rules. So, when outsourcing to a CSP, what must be done?
Vetting the CSP During the Risk Analysis, a Legal Requirement
In working with HIPAA compliance engagements, it is more common than not to find companies that employ a CSP without first obtaining a BAA. Have you implemented a business associate agreement with cloud service providers? If you have not, this needs addressed diligently and expediently. Omission is a punishable violation of HIPAA Rules 45 CFR §§164.308(b)(1) and §164.502(e), and fines can be steep, even for unintentional omission. All entities that create, receive, maintain or transit ePHI must comply with every applicable provisions of HIPAA rules, regardless of whether a BAA has been executed or not per 78 Fed. Reg. 5565, 5598 (Jan 25, 2013). If a CSP becomes aware that an entity is using its services without a BAA, it has a choice: (a) come into compliance with all HIPAA requirements; (b) securely return the ePHI; or (c) securely destroy the ePHI.
When outsourcing to a CSP, the cloud service must be understood by the outsourcing entity in order to conduct a risk analysis and establish risk management policies. Likewise, the CSP must conduct its own risk analysis and establish its own risk management policies. More likely, established CSPs already have risk assurance practices in place, and a gap analysis should be conducted to compare current practices against HIPAA requirements, resulting in an understanding of any gaps to be bridged. This is usually how we approach many engagement, starting with a proper gap analysis. The risk analysis identifies potential threats and vulnerabilities to the confidentiality, integrity and availability of ePHI created, received, maintained, or transmitted. Often, the CSP’s service level agreement (SLA) is a key document for identifying system availability, data recovery metrics, security practices, retention policies, and other specificities. Ensure the terms of the SLA are consistent with the BAA agreement as well as HIPAA Rules.
ISO 27018 + HIPAA? Does Implementing ISO Standards Help with Compliance?
If your firm adheres to the ISO 27001 standard, you’ve implemented a framework that employs numerous security controls. For instance, ISO 27001 (the standard) with NIST or ISO 27002 (controls) together provide an excellent baseline of information security practices, but these alone do not conform to all that HIPAA requires without additional measures. For instance, Microsoft maintains ISO 27001 certification (the standard) with ISO 27002 controls, creating an excellent starting point. Added to this baseline, Microsoft also implements ISO 27017 (cloud security controls) and ISO 27018 (protecting information in the cloud) to largely close the gap between HIPAA requirements and its practices; these controls arrive as newer standards for cloud services. Writing for Microsoft, Hemant Pathak explains how ISO 27018 “modernizes data security and privacy by adding key protections for customer’s personally identifiable information stored in the cloud” (Pathak, 2015), especially how ISO 27018 + HIPAA BAAs help to establish trust in cloud computing.
Microsoft believes that a cloud provider’s adoption of ISO 27018 is not only complimentary to HIPAA, but also necessary for healthcare customers to confidently migrate their important and sensitive data to the cloud in a compliant manner. Many of the pillars of ISO 27018 will look familiar to the healthcare industry, as they align to requirements already set forth in HIPAA. (Pathak, 2015)
What does this mean? Writing for InfoWorld, Stan Gibson notes “compliance with ISO 27018 means a cloud provider has undertaken a list of procedures for handling PII” which closely parallels the requirements for ePHI (Gibson, 2015). For some entities, especially those with ISO 27001 certifications, it may be worthwhile to consider implementing ISO 27018 to meet HIPAA requirements. The obligations of the Security Rule, Privacy Rule, and Breach Notification Rule with ISO 27018 can be baked into the overall scope and wrapped into an ISO 27001 certifiable package. We can help you evaluate this approach as opposed to a standalone HIPAA compliance practice.
Which CSPs Offer HIPAA-compliant Cloud Services?
While the OCR does not endorse, certify, or recommend specific technology or products, many CSPs work with compliance firms such as ours to ensure conformity with all that HIPAA requires. For instance, in relation to pure cloud services, large providers such as Microsoft, Amazon, Dropbox, and Google support HIPAA providing that entities procure a service designated as a HIPAA account which must first be acquired by implementing a BAA. For example, Google offers BAAs which cover Gmail, Google Calendar, Google Drive, Google Apps Vault, etc. but it is incumbent upon organizations to configure these services to be HIPAA compliant. Even with large services such as these, performing a risk analysis is required by the HHS. If you need help, our firm has performed audits on many CSP, including Google.
Services such as Apple’s iCloud, CrashPlan, SugarSync, and BackBlaze are not HIPAA compliant as of this writing. Avoid using these at all costs. Remember, don’t roll the dice and chance compliance with HIPAA.
Other industry specific cloud services should be evaluated before employing their services. For instance, nearly all business employ some form of unified communication and collaboration (UC&C or UCC). Surprisingly, healthcare organizations may have a conference that involves some form of ePHI (perhaps in a meeting title, an IP address in a call detail record, etc.). Be sure the CSP can enter into a BAA before using the service. As of this writing, companies such as Pinnaca and Zoom provide HIPAA compliant services and are willing to enter into a business associate agreement, but the majority do not.
With HIPAA, Outsource Responsibly!
According to the HIMSS Analytics 2016 Cloud Survey, healthcare organizations “are tripling the use of cloud services” from just two years prior (HIMSS Media, 2016). Forrester reports the public cloud market will grow to $236 billion in 2020 (Bartels, Bartoletti, & Rymer, 2016). Behind this migration is cost savings, robust disaster recovery, scalability, speed of deployment, and mobility. But outsourcing regulatory compliance is not only a misnomer, it’s subject to prosecution. When outsourcing anything related to HIPAA, outsource responsibly with a full understanding of each entity’s roles. The audit of one entity will likely entangle associated entities in an investigation, including the healthcare provider, the cloud service provider, their business associates, and so on.
My advice with clients has always been consistent: Don’t Mess with HIPAA! If you outsource, outsource responsibly, vetting your vendor, implementing a business associate agreement, conducting a risk analysis, and practicing risk management including an internal audit. Then repeat.
So go ahead and enjoy the many benefits of outsourcing, but consider all of these obligations carefully, and outsource responsibly with HIPAA.
About the Author
Scott Allendevaux is a senior partner and leads the cybersecurity practice at Allendevaux & Company; he also specializes in regulatory compliance with many United States regulations for data privacy and information security. HIPAA and HITECH compliance are one of his specialties, conducting audits and leading compliance efforts for healthcare and business associate entities. He may be contacted at email@example.com.
Bartels, A., Bartoletti, D., & Rymer, J. (2016, September 1). The Public Cloud Services Market Will Grow Rapidly To $236 Billion In 2020. Forrester. Retrieved from https://www.forrester.com/report/The+Public+Cloud+Services+Market+Will+Grow+Rapidly+To+236+Billion+In+2020/-/E-RES132004
Gartner Group. (2017). Cloud Computing. Gartner IT Glossary. Retrieved from http://www.gartner.com/it-glossary/cloud-computing/
Gibson, S. (2015, November 2). ISO 27018 compliance: Here's what you need to know. (J. Gallant, Ed.) InfoWorld. Retrieved February 16, 2017, from http://www.infoworld.com/article/3000021/cloud-computing/iso-27018-compliance-heres-what-you-need-to-know.html
HIMSS Media. (2016). The Cloud Evolution in Healthcare: HIMSS Analytics Survey Sheds Light on Where We've Been, Where We Stand - and Where We're Headed. HIMSS Analytics. Retrieved from http://www.level3.com/-/media/files/ebooks/en_cloud_eb_healthcare.pdf
Pathak, H. (2015, June 17). ISO 27018 + HIPAA BAA Help Establish Trust in Cloud Computing. Retrieved from https://enterprise.microsoft.com/en-us/industries/health/iso-27018-hipaa-baa-help-establish-trust-in-cloud-computing/
Sullivan, T. (n.d.). OCR: Onsite HIPAA Audits Coming in 2017. Healthcare IT News. Retrieved from http://www.healthcareitnews.com/news/ocr-onsite-hipaa-audits-coming-2017