GUIDANCE ON HIPAA & CLOUD COMPUTING

Similar documents
AFTER THE OMNIBUS RULE

HIPAA Compliance Guide

Auditing for HIPAA Compliance: Evaluating security and privacy compliance in an organization that provides health insurance benefits to employees

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

Determining Whether You Are a Business Associate

IHDE BUSINESS ASSOCIATE AGREEMENT (BAA)

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

PATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

The Revolution Will Be Worn on Your Wrist (Part 2) Deven McGraw Deputy Director, Health Information Privacy HHS Office for Civil Rights

1 Security 101 for Covered Entities

HIPAA Compliance for Business Associates ISBA Health Law Symposium October 10, 2017

OMNIBUS RULE ARRIVES

HIPAA Security. ible. isions. Requirements, and their implementation. reader has

HIPAA BUSINESS ASSOCIATE AGREEMENT BEST PRACTICES: A COMPLIANCE SOLUTION FOR THE TICKING CLOCK AND THE DRACONIAN CIVIL AND CRIMINAL PENALTIES

BUSINESS ASSOCIATE AGREEMENT Between THE NORTH CENTRAL TEXAS COUNCIL OF GOVERNMENTS and

The HIPAA Omnibus Rule and the Enhanced Civil Fine and Criminal Penalty Regime

JOTFORM HIPAA BUSINESS ASSOCIATE AGREEMENT

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

True or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15)

SDM Health Insurance Portability and Accountability Act (HIPAA) Terms and Conditions For Business Associates

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

LEGAL ISSUES IN HEALTH IT SECURITY

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Emma Eccles Jones College of Education & Human Services. Title: Business Associate Agreements

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule. Association of Corporate Counsel Houston Chapter October 14, 2014.

The Privacy Rule. Health insurance Portability & Accountability Act

HIPAA Background and History

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

HIPAA BUSINESS ASSOCIATE ADDENDUM

HIPAA BUSINESS ASSOCIATE AGREEMENT BEST PRACTICES KURTIN PLLC COMPLIANCE SOLUTION: UPDATE January 3, I. Executive Summary.

HIPAA and Lawyers: Your stakes have just been raised

BUSINESS ASSOCIATE AGREEMENT

HIPAA OMNIBUS FINAL RULE

Privacy Rule Primer. 45 CFR Part 160 and Subparts A and E of Part CFR , 45 CFR CFR

HIPAA AND ONLINE BACKUP WHAT YOU NEED TO KNOW ABOUT

HIPAA in the Digital Age. Anisa Kelley and Rachel Procopio Maryan Rawls Law Group Fairfax, Virginia

HIPAA Business Associate Agreement

THIRD-PARTY MANAGEMENT OF INFORMATION RESOURCES

Key Legal Issues in EMR, EMR Subsidy and HIPAA and Privacy Click Issues to edit Master title style

ARE YOU HIP WITH HIPAA?

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

HIPAA Business Associate Agreement Passport to Languages

Business Associates: How to become HIPAA compliant, increase revenue, and gain new clients

HIPAA AND YOU 2017 G E R A L D E MELTZER, MD MSHA

Texas Tech University Health Sciences Center HIPAA Privacy Policies

BUSINESS ASSOCIATE AGREEMENT

TEXAS SOUTHERN UNIVERSITY HIPAA BUSINESS ASSOCIATE AGREEMENT

Business Associate Risk

Ensuring HIPAA Compliance When Transmitting PHI Via Patient Portals, and Texting

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

Omnibus HIPAA Rule: Impact on Covered Entities

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS

Texas Tech University Health Sciences Center El Paso HIPAA Privacy Policies

HIPAA Compliance for Business Associates

Texas Health and Safety Code, Chapter 181 Medical Records Privacy Law, HB 300

COMMONWEALTH OF PENNSYLVANIA BUSINESS ASSOCIATE ADDENDUM

HIPAA Basic Training for Health & Welfare Plan Administrators

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

HIPAA Training for Small Providers

Industry leading Education. Certified Partner Program. Please ask questions Todays slides are available group.

Business Associate Agreement

Health Insurance Portability and Accountability Act (HIPAA) Terms and Conditions For Business Associates

Negotiating Business Associate Agreements

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

ARTICLE 1. Terms { ;1}

BUSINESS ASSOCIATE AGREEMENT W I T N E S S E T H:

NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH

University of Mississippi Medical Center Data Use Agreement Protected Health Information

Business Associate Agreement Health Insurance Portability and Accountability Act (HIPAA)

OMNIBUS COMPLIANT BUSINESS ASSOCIATE AGREEMENT RECITALS

HIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules

Highlights of the Omnibus HIPAA/HITECH Final Rule

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

HIPAA COMPLIANCE. for Small & Mid-Size Practices

2. HIPAA was introduced in There are many facets to the law. Which includes the facets of HIPAA that have been implemented?

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

Cyber ERM Proposal Form

ACGME BUSINESS ASSOCIATE AGREEMENT

The Security Risk Analysis Requirement for MIPS. August 8, 2017, 2:00 p.m. to 3:00 p.m. ET Peter Mercuri, Practice Transformation Specialist

Management Alert Final HIPAA Regulations Issued

HIPAA ADDENDUM TO SERVICE AGREEMENT

HIPAA STUDENT ASSOCIATE AGREEMENT

HEALTHCARE BREACH TRIAGE

[Name of Organization] HIPAA Incident/Breach Investigation Procedure 4

Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation

New. To comply with HIPAA notice requirements, all Providence covered entities shall follow, at a minimum, the specifications described below.

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

ARRA 2009: Privacy and Security Provisions. Deven McGraw

The Audits are coming!

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA Privacy and Security Rules

PRIVACY AND SECURITY GUIDELINES

HIPAA Privacy Compliance Checklist

SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT

Microsoft Online Subscription Agreement/Open Program License Agreement Amendment for HIPAA and HITECH Act Amendment ID MOS13

Transcription:

GUIDANCE ON HIPAA & CLOUD COMPUTING http://www.hhs.gov/hipaa/for-professionals/special-topics/cloudcomputing/index.html January 26, 2017 Health Care Cloud Coalition Deven McGraw, Deputy Director, Health Information Privacy

Purpose To assist HIPAA covered entities (CEs) and business associates (BAs), in understanding their HIPAA obligations to protect the privacy and security of electronic protected health information (ephi) when they take advantage of cloud technologies 2

HIPAA Rules Apply to CEs and BAs Covered Entities Health Plan Health Care Clearinghouse Health Care Providers that conduct certain payment related transactions electronically 3

Definition of Business Associate a person who: (i) On behalf of such covered entity creates, receives, maintains, or transmits protected health information for a function or activity regulated by this subchapter, including claims processing or administration, data analysis, processing or administration or (ii) Provides services to or for such covered entity, involves the disclosure of protected health information from such covered entity to the person. includes: other person that provides data transmission services that requires access on a routine basis to such protected health information. (ii) A person that offers a personal health record to one or more individuals on behalf of a covered entity.. (iii) A subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate. 45 CFR 160.103 Definitions 4

What are Cloud Service Providers? Cloud Service Provider (CSP) Offers online access to shared computing resources Functions and scale can vary in response to user demands Services may include on-demand internet access to Data storage Applications, software solutions (e.g., electronic health record system, email, databases) Networks, servers 5

CSPs are Business Associates When a covered entity engages the services of a CSP to create, receive, maintain, or transmit ephi on its behalf, the CSP is a business associate under HIPAA When a business associate of a covered entity subcontracts with a CSP to create, receive, maintain, or transmit ephi for purposes of assisting the business associate in performing functions or services for the covered entity, the CSP subcontractor is a business associate of the original business associate 6

If CSP is a BA CE & CSP, or BA & CSP, must establish HIPAA-compliant business associate agreements (BAA) CSP is liable to CE, or other BA, for meeting the terms of the agreement Directly liable to HHS for compliance with the applicable requirements of the HIPAA Rules 7

Central Guidance Points HIPAA covered entities and business associates can use the services of CSPs consistent with their HIPAA responsibilities A CSP can be a BA when it processes or stores only encrypted ephi and lacks an encryption key for the data Lacking an encryption key does not exempt a CSP from business associate status and obligations under the HIPAA Rules 8

Questions 1 May a covered entity or business associate use a cloud service to store or process ephi? YES CE and the CSP must enter into a business associate agreement (contract containing particular terms) Establishes permitted and required uses and disclosures of ephi Requires BA to appropriately safeguard the ephi CE may want to understand cloud environment of the CSP for its own risk management, and proper drafting of its BAA and any service level agreement E.g., cloud configuration may impact RA/RM SLA must be consistent with Rules 9

Questions 2 If a CSP stores only encrypted ephi and does not have a decryption key, is it a business associate? Yes, because it receives, transmits and maintains ephi-- even if it cannot view the ephi. We refer to these as noview services in guidance Lacking a decryption key does not alone assure the confidentiality, integrity & availability of ephi Guidance walks through considerations for addressing particular requirements of the Rules, e.g., implementing appropriate access controls Entities should document how each party will address requirements 10

Questions 3 Where contractual agreements between CSP and CE/BA customer provide that customer will control and implement certain security features of the cloud service consistent with the SR, and the customer fails to do so-- A BA is not responsible for the compliance failures that are attributable solely to the actions or inactions of the CE, as determined by the facts and circumstances of the particular case 11

Questions 4 Can a CSP be considered to be a conduit like the postal service, and therefore not a business associate that must comply with the HIPAA Rules? Unlikely, as the conduit exception is limited to transmissiononly services and temporary storage of PHI incident to those transmissions Which CSPs offer HIPAA compliant cloud services? OCR does not endorse certify or recommend specific technology or products 12

Questions 5 What if a covered entity (or BA) uses a CSP for ephi without first executing a BA agreement with CSP? The CE is in violation of the HIPAA Rules CSP that is a BA must comply with Rules regardless of whether it has executed a BAA with the CE using its services When CSP discovers that a CE or BA customer is using its cloud for ephi, it must either come into compliance, & enter into a BAA or securely return the ephi to the customer or, if agreed to by the customer, securely destroy the ephi 13

Questions 6 If a CSP experiences a security incident involving a covered entity s or business associate s ephi, must it report the incident to the covered entity or business associate? Yes. SR requires BA to identify, respond to, mitigate and document security incidents, & must report to CE or BA re their ephi SR flexible may use the BAA to set type, detail, frequency of reports, e.g., report # of pings monthly BNR does specify content, timing etc. re incidents that rise to the level of a breach of unsecured PHI 14

Questions 7 Do the HIPAA Rules allow health care providers to use mobile devices to access ephi in a cloud? Yes Implement appropriate safeguards Enter into BAAs with any third party service providers for the device and/or cloud that will have access to the ephi OCR, FTC and ONC guidance available on this topic http://www.healthit.gov/providers-professionals/how-canyou-protect-and-secure-health-information-when-usingmobile-device 15

Questions 8 Do the HIPAA Rules require a CSP to maintain ephi for some period of time beyond when it has finished providing services to a covered entity or business associate? No. A BAA must require a business associate to return or destroy all PHI at the termination of the BAA where feasible If not feasible, the BAA must extend protections of the BAA to the ephi and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible (e.g., other law re document retention) Note, this is further explored in Data Availability FAQ 16

Questions 9 Do the HIPAA Rules allow a covered entity or business associate to use a CSP that stores ephi on servers outside of the United States? Yes. Same requirements apply However, a CE would need to consider the location of the BA in its risk analysis and risk management, as outsourced storage overseas may present special considerations/increased vulnerabilities 17

Questions 10 Must CSPs that are business associates provide documentation or allow auditing of their security practices by their customers who are covered entities or business associates? The Rules require assurances in the form of the BAA. CEs may require additional assurances from BAs as part of their risk management If a CSP receives and maintains only information that has been de-identified in accordance with the HIPAA Privacy Rule, is it is a business associate? No. Such de-identified information is not PHI 18

Guidance Refers Reader To NIST publications, e.g., defining cloud computing http://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublic ation800-145.pdf Existing OCR FAQs & guidance documents, e.g., sample contract provisions http://www.hhs.gov/ocr/privacy/hipaa/understanding/cover edentities/contractprov.html ONC resources, e.g., recommendations for EHRs http://www.healthit.gov/providers-professionals/ehrprivacy-security 19

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback