Over the past decade, more and more of our management software programs have taken to storing much of our clinical data in the cloud. Although this is often touted as a great and wonderful advancement, it does carry with it certain administrative responsibilities. On October 6, 2016, the United States Department of Health and Human Services introduced guidance on HIPAA and Cloud Computing ( www.hhs.gov/hipaa/for-professionals/special-topics/cloud-computing/index.html ). This month’s column will provide an overview of this information.
Cloud services providers are separate entities from those that provide health care services and business associates who transact with these entities. Business associates are entities or subcontractors that are privy to a patient’s protected health information and create, receive, or provide services on another entity’s behalf. On 1 end of the spectrum, cloud services providers provide on-demand Internet-access services and expand their service offerings to networks, servers, storage, applications, and comprehensive software solutions. HIPAA rules and regulations establish important protections for protected health information as well as electronic protected health information and apply when any form of protected health information is created, received, maintained, or transmitted by any covered entity such as a health care provider, health plan, or health care clearinghouse dealing with billing and payment-related activities that are done electronically. They also apply to any business associates dealing with that entity. The rules cover such things as limitations on how protected health information can be used and disclosed, how to safeguard against inappropriate and unauthorized uses and disclosures of protected health information, and a patient’s rights with respect to the protected health information. Once a health care provider engages the services of a cloud service provider to create, receive, maintain, or transmit electronic protected health information, the cloud services provider becomes a business associate and is thus obligated to enter into a business associate agreement with the health care provider.
The guidance was constructed in question-and-answer form so it is best reviewed in that format. The first question essentially asks whether health care providers such as orthodontists or any business associate who works with them can use a cloud services provider to store or process electronic protected health information. The answer is yes, if a business associate agreement is entered into between the 2 entities. It is through the business associate agreement that a patient’s protected health information is protected both in use and with appropriate safeguards from misuse. Both the health care provider and the business associate need to understand the computing environment of the cloud services provider selected and conduct their own risk assessment as to the safety of the patient’s protected health information stored therein. These risk analyses must identify and assess any potential threat or vulnerability that might relate to the confidentiality, integrity, and availability of any electronic protected health information it creates, receives, maintains, or transmits. A common method of ensuring this is for the cloud services provider and the health care provider to enter into a service-level agreement to address HIPAA-related concerns such as the system’s availability and reliability, its backup and data recovery systems, how protected health information will be returned to the health care provider after services with the cloud services provider are terminated, how security will be maintained, and any limitations on the use, retention, or disclosure of a patient’s protected health information.
The next question asks if a cloud services provider only stores encrypted electronic protected health information and does not have a decryption key, is the cloud services provider still considered a business associate? Again, the answer was yes because it stores electronic protected health information regardless of whether it can decrypt it. Encryption merely prevents unauthorized viewing; however, it has nothing to do with safeguarding the confidentiality, integrity, and availability of a patient’s electronic protected health information stored in a cloud services provider. Encryption cannot protect electronic protected health information from all malware or disaster situations. Case-by-case analyses come into play regarding security considerations such as when only the health care provider controls who can view the electronic protected health information, but the cloud services provider manages access controls and authentication protocols. Balances must be struck as to which party is responsible for various oversight activities, and these should be stated in the business associate agreement or the service-level agreement. This is important because each party will want to exempt itself from the specified responsibilities of the other party if breaches or failures occur.
Business associates may only use and disclose protected health information as permitted by the business associate agreement and established privacy rules relating to its activities. In addition, the business associate agreement must include provisions that do not allow blocking protected health information from the health care provider under any circumstances. Finally, business associates must comply with HIPAA breach notification requirements, and that includes notifying the health care provider of any breaches or potential breaches of unsecured protected health information.
Another question asks whether a cloud services provider can be considered merely a conduit of the electronic protected health information, like the postal service, thus exempting it from the requirement of needing to have a business associate agreement. The answer is no. The conduit exception relates to “transmission only services” because they are transient. Transmission is 1 thing, and storage and processing are something else.
The next question asks what happens if a business associate or a health care provider uses a cloud services provider to maintain electronic protected health information without first executing a business associate agreement? Essentially this creates a HIPAA violation that is curable by way of instituting a corrective action plan that is overseen by the Office of Civil Rights. Since it is possible for a cloud services provider not to know that a health care provider is engaging in activities that deal with electronic protected health information, there is a 30-day window to conform with the business associate agreement requirements upon discovering the activity in question. Once a cloud services provider realizes that it is housing electronic protected health information, it must come into compliance with all HIPAA rules and regulations.
The next question asks if a cloud services provider experiences a security incident, must it report the incident to the business associate or the health care provider? The answer is yes. Cloud services providers, because they are also business associates, must report to the appropriately affected party all suspected or known security incidents, mitigate any harmful effects, and document these incidents and their outcomes. A security incident is defined as an attempted or successful unauthorized access, use, disclosure, modification, or destruction of protected health information or interference with systems operations. The level of detail required is derived from what is stated in the business associate agreement.
Another question asks whether HIPAA rules allow health care providers to use mobile devices to access electronic protected health information that is stored in the cloud. The answer, of course, is yes, as long as there are appropriate physical, administrative, and technical safeguards in place to protect the confidentiality, integrity, and availability of the electronic protected health information both on the mobile device and in the cloud, and as long as the necessary business associate agreements are in place. Understand that the required risk-assessment analysis for doing so rests with the health care provider.
The next question concerns the length of time that cloud services providers must maintain electronic protected health information after they have completed providing services to a health care provider. The answer is that there is no specified time period. A business associate agreement must specify that it will return or destroy all protected health information within a 45-day period upon termination of the health care provider-business associate relationship. Local laws specific to retention of patient records may change this requirement.
The next question asks whether a cloud services provider is allowed to store electronic protected health information on servers located outside the United States. The answer was yes, as long as all involved entities conform with established HIPAA regulations. Although the Office of Civil Rights noted that risks may vary depending on geographic location, and risks and vulnerabilities may increase, the standards are the standards, and appropriate risk assessments and safeguards must be taken and put in place.
Another question concerns who has the right to audit the security practices of cloud services providers. The answer is that the business associate agreements must provide assurances that the appropriate safeguards are being followed in accordance with all HIPAA rules and regulations. There is no express provision for who can audit the cloud services provider’s practices. However, this does not mean that individual business associate agreements or service-level agreements can’t make this determination based on individual risk analysis and management concerns.
The last question asks if a cloud services provider receives and maintains only deidentified information, is it considered a business associate? The answer is no. As long as the cloud services provider receives and maintains only deidentified protected health information as required by the privacy rules it is not a business associate. This is essentially because deidentified information is not considered to be protected health information.
This was a lot; sorry about that. However, if you choose to use the cloud to store your patient information, you really must understand what your responsibilities are vis-a-vis HIPAA and the rules and regulations that apply to the business associates you interact with.
This is no small thing. The Office of Civil Rights takes violations very seriously. We now have the Internet over which we transmit tons of protected health information. Nothing for nothing, but just going back to the earliest codes of ethics shows us that we must maintain patient confidentiality. The fact that this edict has evolved as it has, ostensibly to our benefit, makes it more incumbent on us to protect a patient’s protected health information. I get it; it’s only orthodontics. Who really cares whether a patient has a Class II molar relationship or a central diastema? That’s really not the issue. The issue is that nobody has the right to know anything about me or anyone in particular unless I or they authorize the disclosure of this information. Period; end of story.
It’s too easy for take for granted that it’s no big deal. However, for the wrong person, it is a big deal, and it is not for us to decide. That’s why HIPAA has rules, regulations, and guidelines. Read them and understand them; it’s part of the deal. What deal? The one that lets us make a lot of money doing what we do to someone who has a “deformity” of some type who maybe, just maybe, wants to keep it private. Not to mention all the other personal information we have managed to collect: names, addresses, dates of birth, Social Security numbers, phone numbers, e-mail addresses, employer information, and whatever else our intake forms ask the patient to divulge.
For me, and I hope for you, it is that we have evolved to the point where the only thing that matters is the patient’s presentation, why his or her dentition and dentofacial development is in the state that it is in, how we choose to address that problem, and so on. Other than the patient and myself, no one has any right to know any of this except maybe the third party that has agreed to pay for the treatment in whole or in part.
It’s sort of like “what happens in Vegas, stays in Vegas.”