Cloud Service Providers Must Become HIPAA Compliant

On 26th March, 2013 the Omnibus Final Rule of the Health Insurance Portability and Accountability Act came into effect, after a long period of amendments and adjustments. The main purpose of the new legislation is to adjust the HIPAA Privacy and Security Rules and breach notification rules, with this major amendment often referred to as “The HIPAA Mega Rule”. The new rules apply to all HIPAA covered entities and the Department of Health and Human Services will be enforcing the rules; its Office for Civil Rights is due to commence a serious of random audits to check for compliance later this year.

The new rules apply not only to healthcare organizations but also their business associates. Under the final rule the definition of business associate has also been changed, and now includes any provider of a service that has contact with electronic protected health information (ePHI). Specifically this means any entity that “creates, receives, maintains, or transmits protected health information (PHI) on behalf of a covered entity”, and they must now agree to abide by the HIPAA Omnibus final rule.

This means that data centers and providers of cloud services servicing the healthcare industry or any HIPAA-covered entity are now covered under HIPAA regulations if they have any customers or provide services that involve contact with electronic protected health information.

A great deal of hosting providers and companies offering cloud solutions to healthcare organizations have already signed business associate agreements to ensure HIPAA compliance, even though the legislation did not specially call for it. The Final Rule clarifies exactly who is now covered, and states that even if no contact is maintained with the data, security rules must be adhered to. Data storage companies are therefore also covered.

Business associates using subcontractors to provide part of the service, or assist with other company tasks that bring them into contact with ePHI data, or the servers on which the data is stored, are also covered under this legislation. If a subcontractor is required to maintain, receive, create, analyze or transmit ePHI data, they must also abide by HIPPA privacy and security rules.

A failure to maintain the appropriate data security standards and comply with all HIPAA requirements will see the BA’s concerned liable to be fined directly by the OCR, and audits are not expected to be restricted to healthcare organizations. Heavy financial penalties will be applicable if non-compliance issues are discovered.

Under the new Omnibus Rule, cloud hosting providers and data storage companies, together with their subcontractors will be liable for any of the following data security and privacy issues, even if they have not previously signed a business associate agreement.

  • Any disclosure of ePHI to an unauthorized individual
  • Improper use of ePHI
  • Not being in possession of a current, signed business associate agreement with any subcontractors who come into contact with ePHI data
  • Failure to exercise appropriate security controls to restrict access to ePHI
  • Failure to issue a breach notification to the covered entity if a security breach occurs
  • Failure to disclose PHI to the HHS, or entity stipulated by the HHS
  • Failure to provide details of previous disclosures of PHI to other individuals or entities.
  • Failure to provide access to the legitimate owner of the data upon written request.

Providers of cloud services can expect to be subjected to more stringent checks on how data is stored and transmitted, as well as providers of services to those companies. Violations of HIPAA regulation now carry stiffer penalties with a maximum of $1.5 million in fines applicable for data breaches, disclosures and serious violations of the new rule, and between $150 and $50,000 per single violation. The compliance deadline is Sept 23, 2013.

One of the most efficient and secure methods of ensuring HIPAA compliance when providing cloud services is to segment the business and create specific sections which comply with all HIPAA regulations. This makes it easier to administer individual client services and ensures that any HIPAA-covered client can be assured of HIPAA compliance.

More stringent data security policies can be easily applied to all hardware and software used in that section of the facility and the staff can receive appropriate training. Data centers and cloud service providers should also consider developing their own business associate agreement to use for subcontractors, which should clearly state where liability lies in cases of accidental or deliberate disclosure.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.