The following is a guest post by Phil Cox, Director of Security and Compliance for RightScale
With the January 2013 release of the Omnibus Rule, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is complete. The rule builds on top of the Health Information Technology for Economic and Clinical Health (HITECH) Act that followed HIPAA in 2009 to provide the enforcement provisions that gave HIPAA teeth. The Omnibus Rule comes at a time when many organizations in the healthcare industry are turning to public and private cloud adoption to meet their business needs, taking advantage of the cloud’s cost advantages and its ability to unleash greater agility and innovation in healthcare IT. If your organization is considering the cloud, your due diligence should extend not only to the relevant provisions of the Omnibus Rule, but also to the practices you and your business associates must implement to meet its requirements.
Your organization must be in compliance with the Omnibus Rule by September 23, 2013. As you consider how its provisions apply to your cloud computing projects, you need to pay particular attention to three of the Administrative Simplification Rules in Title II: the Privacy Rule, the Security Rule, and the Breach Notification Rule.
The Privacy Rule regulates the use and disclosure of information held by “covered entities” (generally, health care clearinghouses, employer-sponsored health plans, health insurers, and medical service providers). It establishes regulations designed to prevent unauthorized use and disclosure of Protected Health Information (PHI), which is any information held by a covered entity that concerns health status, provision of healthcare, or payment for healthcare that can be linked to an individual.
The Security Rule complements the Privacy Rule. While the Privacy Rule pertains to all PHI, including paper and electronic, the Security Rule deals specifically with electronic Protected Health Information (ePHI). It lays out three types of security safeguards required for compliance: administrative, physical, and technical. For each of these types, the rule identifies various security standards, and for each standard, it names required implementation specifications, which organizations must adopt and administer as dictated by the rule, as well as addressable specifications, which permit organizations to adopt alternative measures, as long as they address the purpose of the standard.
The Breach Notification Rule is designed to ensure that, in the event of the failure of either the Privacy or Security rule, affected parties are notified in a timely fashion. Violations can cost your organization up to $50,000 each,.with a $1.5 million cap for “identical violations”.
These rules apply not only to direct healthcare providers, but also to a category of organizations known as business associates. Business associate are a “person” who creates, receives, maintains, or transmits protected health information on behalf of a covered entity.
The Omnibus Rule also clarified the “conduit” exception:
.. We note that the conduit exception is limited to transmission services (whether digital or hard copy)… In contrast, an entity that maintains protected health information on behalf of a covered entity is a business associate and not a conduit, even if the entity does not actually view the protected health information…the difference between the two situations is the transient versus persistent nature of that opportunity. For example, a data storage company that has access to protected health information (whether digital or hard copy) qualifies as a business associate, even if the entity does not view the information or only does so on a random or infrequent basis. (emphasis added)
Thus, if you want to implement HIPAA on a cloud platform, your cloud provider must be willing to sign a business associate agreement (BAA) in order to comply with Omnibus Rule. Not all of them will, which may influence your choice of provider. Microsoft, for its Windows Azure platform, generally will, and Datapipe sometimes will; many other providers will not. Some companies claim Amazon AWS has signed BAAs, although Amazon has not made a public statement about it. When in doubt, ask your provider.
Four Tips for Complying with HIPAA in the Cloud
I recommend organizations that fall under HIPAA and HITECH take the following steps:
- Protect ePHI when transmitting it over public networks. This typically means encrypting data in transit over a public network using a VPN or SSL.
- One interesting point to note is that you typically do not have to encrypt data in transit over a private network. This means that if you are using a private cloud, encryption is not necessarily required, though it may be a good practice. The use of a private IP address range, and the cloud provider’s guarantee that instances cannot access packets from other instances’ traffic, may provide adequate controls.
- Protect data at rest. Again, this typically means using some type of encryption. You can use a product like Trend Micro SecureCloud, or other applications that provide volume encryption and remote object storage encryption. Make sure you also maintain good key management practices.
Implement role-based access control in your application.
Implement a process to review audit logs from systems that use or contain ePHI.
I recently presented a session on HIPAA in the Public Cloud at my company’s annual conference, RightScale Compute. I invite you to watch the video for many more details than I have room to share here.
Phil Cox is the director of security and compliance at RightScale, a company providing cloud management services that enables organizations to easily deploy and manage business-critical applications across public, private, and hybrid clouds.