This tip is a part of SearchCloudSecurity.com’s mini learning guide, HIPAA cloud computing advice: Ensuring cloud computing compliance.
As the use of cloud computing becomes more prevalent in health care, organizations that must comply with HIPAA face a number of compliance challenges, including the question of whether they should consider cloud service providers as HIPAA business associates. It matters because business associates have certain privacy and security requirements under the law that other third parties don’t -- and in turn, covered entities have specific requirements when it comes to business associates. Since guidance is tough to come by and consensus isn’t yet established, the decision can be complex.
The HIPAA privacy rule defines a business associate as “a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.” That seems clear (i.e., disclosing PHI to a vendor means they’re a business associate) until you examine the specifics of “disclosure.” For example, some cloud service models only require storage of PHI; does mere storage constitute “disclosure” in the manner intended? Other vendors might backup the date automatically; is that “disclosure”? How about debugging, troubleshooting or monitoring? The list of ambiguous scenarios is a mile long.
Making the HIPAA business associate call
Not everybody agrees and arguments can be made on both sides when it comes to assigning the business associate designation to cloud providers. For example, the U.S. Department of Health and Human Services FAQ tells us that a “conduit” of data (like a courier or a data transfer service) is not a business associate because it doesn’t routinely access the data as part of the normal course of their activities (“a conduit transports information but does not access it other than on a random or infrequent basis…”). However, according to a separate article on the HHS FAQ, a software vendor is a business associate when it needs routine access “…in order to provide its service… For example, a software company that hosts the software containing patient information on its own server or accesses patient information when troubleshooting ….”
So, depending on the level of access the provider has to the data, different considerations might apply. HHS has attempted to clarify some of these questions in its most recent rulemaking, but still the issue comes down to routine, normative access on one hand compared to infrequent, anomalous access on the other. This means the decision comes down to (as usual) your particular usage -- i.e., not whether you’re using cloud, but how you’re using it. Using a SaaS where PHI is accessed every day by vendor personnel? That’s most likely a HIPAA business associate. Using a high-volume PaaS where only your staff routinely looks at data? Maybe not.
It’s a judgment call where usage is paramount. One caveat though: Usage isn’t always constant. You may initially engage a vendor to perform services only involving storage, but subsequently grant them other access. This means they might not be a business associate today, but could become one tomorrow.
Strategizing around HIPAA business associate status
A byproduct of all this is that organizations can reach different conclusions about the same vendor -- you might conclude the vendor is a business associate for you, whereas another covered entity might conclude otherwise. You can make this decision on an ad hoc basis of course, but the pragmatist can look to fold it into a broader strategy. For example, since business associates have enhanced security and privacy obligations relative to other vendors (for example, HITECH now mandates measures equivalent to covered entities), a covered entity with a more conservative posture may elect to treat cloud service providers as business associates in due diligence activities and contract negotiation.
While this is the most conservative approach, asking a cloud provider to enter into a business associate agreement can and does lead to many blank stares (or even calculated resistance) from vendors. Cloud services providers not focused on health care may not understand what a business associate is or why it matters -- while discount vendors might be loath to sign agreements because of additional due diligence or security control requirements. The point is, if you intend to treat your cloud services providers as a business associate, expect to have to educate them about what that means and what they’re obligations are -- and also anticipate potential resistance ahead of time. A vendor that specializes in health care or that has a health care focused service offering may be useful to consider should you choose to go down this route.
Deciding whether your cloud service providers are or are not business associates is a uniquely personal decision -- it varies by organization, by usage, and by organizational strategy. So be wary whenever someone argues that cloud vendors always are (or always aren’t) HIPAA business associates; remember that the definition of “cloud” is broad and can include a lot of different scenarios.
About the author:
Ed Moyle is a senior security strategist with Savvis as well as a founding partner of Security Curve.