MESSAGE
| DATE | 2013-01-24 |
| FROM | Ruben Safir
|
| SUBJECT | Subject: [NYLXS - HANGOUT] HIPAA and the "cloud"
|
The HIPAA-HITECH Regulation, the Cloud, and Beyond
Daniel Solove
January 23, 2013
The new HIPAA-HITECH regulation is here. Officially titled
?Modifications to the HIPAA Privacy, Security, Enforcement, and Breach
Notification Rules,? this new regulation modifies HIPAA in accordance
with the changes mandated by the HITECH Act of 2009. After years of
waiting and many false alarms that the regulation was going to be
released imminently, prompting joking references to Samuel Beckett?s
play Waiting for Godot, HHS unleashed 563 pages upon the world.
According to Office for Civil Rights (OCR) director Leon Rodriguez, the
rule ?marks the most sweeping changes to the HIPAA Privacy and Security
Rules since they were first implemented.? I agree with his dramatic
characterization of the regulation, for it makes some very big changes
and very important ones too.
The most important changes involve expanding HIPAA?s scope of coverage,
to regulate business associates (BAs) and subcontractors of BAs.The
regulation applies the HIPAA Security Rule and parts of the Privacy Rule
to BAs, which are now directly subject to HIPAA enforcement.
Subcontractors of BAs are also deemed to be BAs, and there must be a
business associate agreement (BAA) between a BA and a subcontractor. In
this post, I will discuss these particular changes and their
implications for a wide array of businesses and cloud computing in
healthcare.
A Litany of Changes
Before I focus on the issue of scope, I want to point out some other key
changes that the regulation makes. The regulation strengthens people?s
rights to receive electronic copies of their protected health
information (PHI). The Breach Notification Rule is changed to presume
that any impermissible access, use, or disclosure of PHI is a breach
unless a covered entity or business associate can demonstrate a low
probability PHI has been compromised. Instead of focusing on harm to the
individual, the focus is on the likelihood PHI has been improperly
accessed or exposed. Decedent PHI is protected for 50 years after death.
Previously, HIPAA protected PHI after death without any time limitation.
For patients who pay for treatment out-of-pocket, patients have a right
to restrict insurance companies from accessing the PHI. And as directed
by the HITECH Act, the regulations provide for much stronger penalties
for violations. There are many other changes too ? I?m only hitting a
few highlights.
HIPAA?s Expanded Scope
In my view, the most monumental change involves the vastly expanded
scope of HIPAA. The regulation applies the HIPAA Security Rule and parts
of the HIPAA Privacy Rule to business associates (BAs). A BA is any
person or entity that, on behalf of a covered entity, ?creates,
receives, maintains, or transmits protected health information for a
function or activity regulated by this subchapter, including claims
processing or administration, data analysis, processing or
administration, utilization review, quality assurance, patient safety
activities listed at 42 CFR 3.20, billing, benefit management, practice
management, and repricing.?
Previously, business associates were only indirectly subjected to
HIPAA?s requirements. Covered entities had to have a business associate
agreement (BAA) with a business associate that provided adequate
assurances that PHI would be safeguarded. Now, HHS has direct
enforcement power over business associates.
Additionally, subcontractors are now considered BAs and are subject to
the same direct HHS enforcement. The regulation includes within the
definition of a BA any ?subcontractor that creates, receives, maintains,
or transmits protected health information on behalf of the business
associate.? Commentary to the regulation provides that ?[a]pplying HIPAA
privacy and security requirements directly to subcontractors also
ensures that the privacy and security protections of the HIPAA Rules
extend beyond covered entities to those entities that create or receive
protected health information in order for the covered entity to perform
its health care functions.? According to the commentary: ?A
subcontractor is then a business associate where that function,
activity, or service involves the creation, receipt, maintenance, or
transmission of protected health information.? The intent, as the
regulation commentary explains, is to ensure that HIPAA protections
extend ?no matter how far ?down the chain? the information flows.? BAs
are subject to the same civil and criminal penalties under HIPAA as
covered entities.
What parts of the Privacy Rule apply to BAs? First, a BA is ?directly
liable under the Privacy Rule for uses and disclosures of protected
health information that are not in accord with its business associate
agreement or the Privacy Rule.? Second, a BA must disclose PHI when
required by HHS for a compliance investigation. Third, when an
individual requests an electronic copy of PHI from a covered entity, a
BA is required to disclose PHI to the covered entity or to the
individual in order to satisfy the covered entity?s obligations. Fourth,
the minimum necessary rule applies to BAs.
The Implications for the Cloud
Are cloud computing service providers BAs? I believe that they would be
covered. The regulation commentary provides that the ?data transmission
organizations that the Act requires to be treated as business associates
are those that require access to protected health information on a
routine basis. Conversely, data transmission organizations that do not
require access to protected health information on a routine basis would
not be treated as business associates.? The commentary also elaborates
that ?entities that manage the exchange of protected health information
through a network, including providing record locator services and
performing various oversight and governance functions for electronic
health information exchange, have more than ?random? access to protected
health information and thus, would fall within the definition of
?business associate.?? Mere ?conduits? of PHI, such as postal carriers
or courier services are not BAs because a ?conduit transports
information but does not access it other than on a random or infrequent
basis as necessary for the performance of the transportation service or
as required by law.?
According to the FAQ on the HHS website, ?[t]he mere selling or
providing of software to a covered entity does not give rise to a
business associate relationship if the vendor does not have access to
the protected health information of the covered entity. If the vendor
does need access to the protected health information of the covered
entity in order to provide its service, the vendor would be a business
associate of the covered entity.? The guidance includes the following
example: ?[A] software company that hosts the software containing
patient information on its own server or accesses patient information
when troubleshooting the software function, is a business associate of a
covered entity.?
The only ambiguity is if the PHI is encrypted, and the cloud provider
lacks access to the unencrypted PHI, then does the cloud provider have
access to it?
Overall, providers should realize that regardless of whether they
provide services to covered entities or BAs, they will be deemed BAs if
they create, receive, maintain, or transmit PHI for a regulated function
or activity, ?including claims processing or administration, data
analysis, processing or administration, utilization review, quality
assurance, patient safety activities listed at 42 CFR 3.20, billing,
benefit management, practice management, and repricing.? In addition to
having to follow key parts of the Privacy Rule and all of the Security
Rule, and being subject to HIPAA enforcement and penalties, BAs are also
fair game for HHS audits.
Beyond the Cloud
Beyond the Cloud, many other companies will find themselves within
HIPAA?s expansive domain. HHS recognized in its commentary that small
BAs might be particularly burdened with having to comply with HIPAA as
they previously ?may not have engaged in the formal administrative
safeguards such as having performed a risk analysis, established a risk
management program, or designated a security official, and may not have
written policies and procedures, conducted employee training, or
documented compliance as the statute and these regulations would now
require.? Nevertheless, in spite of these challenges, all BAs must comply.
We are in a new regime of HIPAA enforcement, with HHS enforcing HIPAA
quite vigorously, plus state attorneys general can now enforce HIPAA.
The penalties are much higher now too. This new regulation will be a
wake-up call to many companies.
I applaud these changes to HIPAA. They keep PHI within HIPAA?s bubble of
protection, as far too frequently before PHI would flow beyond the
bubble, and it would be used and handled by companies that lacked
adequate protections. The new HIPAA-HITECH regulation goes far to add
protections and enforcement to PHI far and wide. There will be growing
pains, of course, but this is a key step in the maturation of the HIPAA
regime. Of course, some flaws in HIPAA remain, but on balance, HIPAA is
one of the most comprehensive and impactful of privacy rules, and now
the regulation have taken it to a new level. This is a big step forward
in the protection of health privacy.
Cross-posted on SafeGov.
|
|
