Cloud Service Providers Must Comply with HIPAA Regulations

The growing data storage demands placed on healthcare organizations require frequent hardware updates and increasing amounts of space dedicated to servers and IT staff must be employed to manage hardware, update software and maintain networks. Many healthcare companies lack the space or resources to securely store data and outsource their data storage to cloud service providers.

The recently introduced HIPAA Omnibus Rule – often referred to as the Megarule due to its extensive changes to existing legislation – updates the Health Insurance Portability and Accountability Act (1996) expanding its reach to include business associates of healthcare companies and their subcontractors.

In order to do business in the healthcare sector, IT and data storage companies must now comply with HIPAA regulations and sign a business agreement with the healthcare provide for whom they are providing the service.

In the case of cloud hosting companies it is clear that HIPAA regulations apply as the companies are required to store Protected Health Information, even if the data is not actually viewed.

According to HIPAA, the term business associate includes “Document storage companies maintaining protected health information on behalf of covered entities are considered business associates; regardless of whether they actually view the information they hold.” Even IT companies required to carry out work on servers containing PHI are now covered under HIPAA as business associates and no work must be completed without a business agreement being in place.

The new regulations are being enforced by the Department of Health and Human Services’ Office for Civil Rights. BAs will now be assessed for HIPAA compliance and can be held directly accountable for data breaches and non-compliance issues. The OCR will be conducting a series of audits and business associates will be included and can be fined directly for non-compliance issues and data breaches due to HIPAA violations. Fines have been increased to a maximum of $50,000 per violation and a total of $1.5 million per year.

If you or your company works with a healthcare organization or is required to view or come into contact with PHI you may already have an agreement in place. It is important that this is revised and updated to include the new requirements required by the Omnibus Final Rule. If subcontractors are employed they are the responsibility of the BA contracted to provide the service and these companies or individuals must also sign business agreements and agree to abide by HIPAA Privacy and Security Rules.

The Omnibus Rule has introduced many changes and should be read in full by compliance officers; however the main points affecting BAs are listed below:

Changes to Breach Notification Rules

Rules have now been changed regarding breach notifications. Previously, if a data breach posed no “significant risk of reputational, financial or other harm” there was no requirement to report it to the DHHS. The new rule makes it mandatory to report a breach unless a multi-factor risk assessment is conducted and determines that there is a very low risk of exposure. Breaches must be reported without reasonable delay if they affect more than 500 individuals and in no case later than 60 days following the discovery of a breach, while smaller breaches must be reported at the end of the year.

According to the DHHS, “while the covered entity is ultimately responsible for ensuring individuals are notified, the covered entity may delegate the responsibility of providing individual notices to the business associate.” Sample BA’s can be downloaded from the HHS website.

A New Risk Analyses Must be Conducted

Regular risk analyses must be conducted to maintain compliance with HIPAA, although it is now essential to conduct a post-Omnibus Rule risk analysis to address any security issues that may exist following the introduction of the new rules. All Omnibus Rule changes must be incorporated into existing policies and procedures updated as necessary before the September 23 deadline.

PHI Data Should be Encrypted

Any company required to store PHI data should employ a two tier data security system to safeguard the data. Data encryption is essential to prevent unauthorized individuals from accessing protected data, and mobile devices (laptops, tablets, hard drives and memory sticks) must have PHI data encrypted. If a hard drive or laptop is stolen and it contains unprotected PHI, it is a serious violation of HIPAA and is likely to incur a substantial fine from the OCR, regardless of whether the data was actually viewed.

Access to Data must be Restricted and Monitored

Access to PHI must be restricted as far as is possible to minimize risk, and access logs must be maintained and monitored to ensure that should an individual or group gain access to protected data. Any irregularities discovered in access logs should be investigated as a matter of urgency.

Staff Must be Trained and Understand the New Rules

HIPAA demands that the appropriate administrative, physical and technical safeguards are employed to protect electronic health information. While IT systems should be developed to ensure data is protected, HIPAA violations can easily be caused by poorly trained staff. It is essential that the staff is trained on the new HIPAA regulations, that all individuals understand their obligations under the legislation and that they agree to abide by the new rules. The training should be documented and each employee should sign the document to accept they have received the training. These documents will be required in the event of an OCR audit.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.