HIPAA and InfoSec
In January 2013, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights announced a final rule that implements a number of provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, to strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Read the Final Rule in the Federal Register
Posted: 28 Jan 2014 07:19 AM PST
The HIPAA Omnibus Rule made major changes to how Business Associates are regulated under HIPAA.
How can I tell if my cloud vendor is HIPAA compliant?
One of the most frequent questions that we get asked by clients is “How can I tell if my cloud vendor is HIPAA compliant?” A lot goes into being HIPAA compliant and it is hard enough ensuring that your organization is compliant let alone trying to determine if another organization is compliant. There is a basic rule that you can use to help weed out companies that are not compliant.
The HIPAA Omnibus Rule makes it clear that if you are storing electronic protected health information (ePHI aka patient information) on any servers that are not your own, that vendor MUST sign a HIPAA Business Associate Agreement (BAA). If the vendor says they don’t need to sign a BAA or refuses to sign a BAA, then you should not use them to store or maintain ePHI. Signing a BAA does not make them HIPAA compliant but without signing the BAA they can’t be HIPAA compliant.
Examples of Cloud Business Associates
Here are some examples of companies that would be Business Associates (BA) if you are storing ePHI on their servers:
§ Dropbox – if you use Dropbox to store ePHI they would be a BA (as of today they will not sign a BAA)
§ AOL, Yahoo, Comcast, Optonline, etc.) – if you are using any of these for email and the emails contain ePHI then they would need to sign a BAA (as of today none of the vendors will sign a BAA)
§ Box – if you use Box to store ePHI they would be a BA (Box will sign a BAA)
§ Microsoft Office 365 – if you are using any products in the Office 365 suite i.e. Exchange Online, SharePoint Online, etc. they would be a BA. (Microsoft will sign a BAA)
§ Google Gmail or Google Apps – we go into detail here about Google’s wiliness to sign a BAA
Take away: A Business Associate Agreement does not make an organization HIPAA compliant but is a requirement and a step in the right direction for Business Associates. A vendor that refuses to sign a BAA sends a clear signal that they are not complying with HIPAA Omnibus regulations and should not be used to store or disclose ePHI to. There are some exceptions to the rule (i.e. your Internet ISP such as Verizon or AT&T are not required to sign a BAA) but for the most part if you use the BAA as a rule of thumb it will help weed out vendors that are not HIPAA compliant.
HHS OCR and ONC Release HIPAA Privacy Notice Templates
On September 16, 2013, the US Department of Health and Human Services Office of Civil Rights and the Office of the National Coordinator for Health IT published a set of templates in four formats, for both providers and health plans, and instructions for use, for HIPAA Notices of Privacy Practices, that include the required changes pursuant to the HIPAA Omnibus Update of 2013. The templates are available at: http://www.hhs.gov/ocr/privacy/hipaa/modelnotices.html
In related news, the AMA released in September 2013 updated tools for HIPAA Privacy and Security Compliance, including new sample Notice of Privacy Practices and Business Associate Agreement templates, as well as toolkits and FAQs. See: http://www.ama-assn.org/go/hipaa
HIPAA and Information Security Resources
- Information Security Policies Template (scroll to bottom of webpage)
- Risk Assessment Toolkit
- HIPAA Privacy and Security Toolkits
- HIPAA Privacy and Security Toolkits for Small Provider Organizations
- Mobile Security (Smartphones, Tablets, etc.) Toolkit
- Important Resources and Guidance Materials for Covered Entities
- Integrating Privacy and Security into Your Practice
- Online Privacy & Security Training Game