HIPAA In 2017 Is Not Your Old HIPAA; It’s Grown Teeth
Contributed Commentary By Frank Krieger
February 16, 2017 | There are ways that you can ensure your cloud provider is HIPAA/HITECH compliant, and there are also steps you can take to review that posture; independent auditor reviews, alignment with CSF HITRUST framework, transparency of policies, and governance and auditability. In 2017, Health and Human Services (HHS) and the Office for Civil Rights (OCR) are both working hard to ensure enforcement is aligned with HIPAA.
Over the last year there has been more and more guidance given around cloud providers and third party processing firms and the understanding that enforcement is a priority. It is paramount that organizations with ePHI and other protected data do their due diligence when seeking a cloud provider – actually, it is financially in your best interest to do so. Take a look at the HHS guidance for cloud providers to HIPAA entities.
What if a HIPAA covered entity (or business associate) uses a CSP to maintain ePHI without first executing a business associate agreement with that CSP?
If a covered entity (or business associate) uses a CSP to maintain (e.g., to process or store) electronic protected health information (ePHI) without entering into a BAA with the CSP, the covered entity (or business associate) is in violation of the HIPAA Rules. 45 C.F.R §§164.308(b)(1) and §164.502(e).
Ah-ha! The notorious Business Associate Agreement (BAA) is mentioned straight away. For organizations that perform annual HIPAA audits this should not be something new – every auditor in the world is going to ask you to bring out your BAA agreements and validate that your third party suppliers are under a BAA for services. However, for a lot of other folks, this might be something they never have seen.
Under the HHS rules, you need a BAA when planning to use a third-party claims processing, cloud compute, or data storage. Seems straightforward enough – your cloud provider needs be willing to sign a BAA. However, there is a bit more here. Are you signing their BAA or are you using your BAA? There are a lot of providers out there that will jump up and down and shout that they are willing to sign a BAA, but when you go to redline that document you are told that’s not open to revision.
Not every BAA is the same, the protections and scopes you want may not be in that document, and signing a BAA with a vendor that doesn’t offer clear delineations that protect your environments and ePHI data is nearly as bad as having no BAA at all.
And not all clouds are the same – some just do not offer the data protection and legal agreements that align with HIPAA/HITECH. It is imperative that before you start moving to the cloud you ask about their BAA policy and review any documentation you receive. Moreover, you should have the ability to broker that document and not have to simply accept what is being lobbed over email at you.
Take time to ask questions, involve your compliance team and that of the vendor, and review those BAA agreements closely!
Frank Krieger is iland’s Director of Compliance, bringing to the organization over 18 years of IT and Compliance background. Serving six years with the US Army and a graduate of Northern Michigan University’s Walker L. Cisler College of Business, Frank brings an agile and disciplined deep experience in enterprise IT Services, Operations, Governance and Compliance. He can be reached at fkrieger@iland.com.