Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

2.7 Million Reasons Cloud Vendors and Data Centers ARE HIPAA Business Associates

Posted on July 25, 2016 I Written By

The following is a guest blog post by Mike Semel, President of Semel Consulting.
Cloud backup
Some cloud service providers and data centers have been in denial that they are HIPAA Business Associates. They refuse to sign Business Associate Agreements and comply with HIPAA.

Their excuses:

“We don’t have access to the data so we aren’t a HIPAA Business Associate.”

“The data is encrypted so we aren’t a HIPAA Business Associate.”

Cloud and hosted phone vendors claim “We are a conduit where the data just passes through us temporarily so we aren’t a HIPAA Business Associate.”

“We tell people not to store PHI in our cloud so we aren’t a HIPAA Business Associate.”

Wrong. Wrong. Wrong. And Wrong.

2.7 million reasons Wrong.
Lawsuit
Oregon Health & Science University (OHSU) just paid $2.7 million to settle a series of HIPAA data breaches “including the storage of the electronic protected health information (ePHI) of over 3,000 individuals on a cloud-based server without a business associate agreement.”

Another recent penalty cost a medical practice $750,000 for sharing PHI with a vendor without having a Business Associate Agreement in place.

The 2013 changes to HIPAA that published in the Federal Register (with our emphasis) state that:

“…we have modified the definition of “business associate” to generally provide that a business associate includes a person who “creates, receives, maintains, or transmits” protected health information on behalf of a covered entity.

…an entity that maintains protected health information on behalf of a covered entity is a business associate and not a conduit, even if the entity does not actually view the protected health information.  We recognize that in both situations, the entity providing the service to the covered entity has the opportunity to access the protected health information.  However, the difference between the two situations is the transient versus persistent nature of that opportunity.  For example, a data storage company that has access to protected health information (whether digital or hard copy) qualifies as a business associate, even if the entity does not view the information or only does so on a random or infrequent basis.” 

A cloud service doesn’t need access to PHI – it just needs to manage or store it– to be a Business Associate. They must secure PHI and sign Business Associate Agreements.

The free, consumer-grade versions of DropBox and Google Drive are not HIPAA compliant. But, the fee-based cloud services, that utilize higher levels of security and for which the vendor will sign a Business Associate Agreement, are OK to use. DropBox Business and Google Apps cost more but provide both security and HIPAA compliance. Make sure you select the right service for PHI.
Encrypted
Encryption
Encryption is a great way to protect health information, because the data is secure and the HIPAA Breach Notification Rule says that encrypted data that is lost or stolen is not a reportable breach.

However, encrypting data is not an exemption to being a Business Associate. Besides, many cloud vendors that deny they have access to encrypted data really do.

I know because I was the Chief Operating Officer for a cloud backup company. We told everyone that the client data was encrypted and we could not access it. The problem was that when someone had trouble recovering their data, the first thing our support team asked for were the encryption keys so we could help them. For medical clients that gave us access to unencrypted PHI.

I also know of situations where data was supposed to be encrypted but, because of human error, made it to the cloud unencrypted.

Simply remembering that Business Associates are covered in the HIPAA Privacy Rule while encryption is discussed in the Breach Notification Rule is an easy way to understand that encryption doesn’t cancel out a vendor’s status as a Business Associate.
27864148 - it engineer or consultant working with backup server. shot in data center.
Data Centers
A “business associate” also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate.

Taken together, a cloud vendor that stores PHI, and the data centers that house servers and storage devices, are all HIPAA Business Associates. If you have your own servers containing PHI in a rack at a data center, that makes the data center a HIPAA Business Associate. If you use a cloud service for offsite backups, or file sharing, they and their data centers are Business Associates.

Most data centers offer ‘Network Operations Center (NOC) services,’ an on-site IT department that can go to a server rack to perform services, so you don’t have to travel (sometimes across the country) to fix a problem.  A data center manager was denying they had access to the servers locked in racks and cages, while we watched his NOC services technician open a locked rack to restart a client server.

Our client, who had its servers containing thousands of patient records housed in that data center, used the on-site NOC services when their servers needed maintenance or just to be manually restarted.
37388020 - pushing cloud computing button on touch screen
Cloud-Based and Hosted Phone Services
In the old days, a voice message left on a phone system was not tied to computers. Faxes were paper-in and paper-out between two fax machines.

HIPAA defines a conduit as a business that simply passes PHI and ePHI through their system, like the post office, FedX, UPS, phone companies and Internet Service Providers that simply transport data and do not ever store it. Paper-based faxing was exempt from HIPAA.

One way the world has changed is that Voice Over Internet Protocol (VOIP) systems, that are local or cloud-based, convert voice messages containing PHI into data files, which can then be stored for access through a portal, phone, or mobile device, or are attached to an e-mail.

Another change is that faxing PHI is now the creation of an image file, which is then transmitted through a fax number to a computer system that stores it for access through a portal, or attaches it to an e-mail.

Going back to the Federal Register statement that it is the persistence of storage that is the qualifier to be a Business Associate, the fact that the data files containing PHI are stored at the phone service means that the vendor is a Business Associate. It doesn’t matter that the PHI started out as voice messages or faxes.

RingCentral is one hosted phone vendor that now offers a HIPAA-compliant phone solution. It encrypts voice and fax files during transit and when stored, and RingCentral will sign a Business Associate Agreement.

Don’t Store PHI With Us
Telling clients not to store PHI, or stating that they are not allowed to do so in the fine print of an agreement or on a website, is just a wink-wink-nod-nod way of a cloud service or data center denying they are a Business Associate even though they know they are maintaining PHI.

Even if they refuse to work with medical clients, there are so many other types of organizations that are HIPAA Business Associates – malpractice defense law firms, accounting firms, billing companies, collections companies, insurance agents – they may as well give it up and just comply with HIPAA.

If they don’t, it can cost their clients if they are audited or through a breach investigation.

Don’t let that be you!

About Mike Semel
Mike Semel is the President of Semel Consulting, which specializes in healthcare and financial regulatory compliance, and business continuity planning.

Mike is a Certified Security Compliance Specialist, has multiple HIPAA certifications, and has authored HIPAA courseware. He has been an MSP, and the CIO for a hospital and a K-12 school district. Mike helped develop the CompTIA Security Trustmark and coaches companies preparing for the certification.

Semel Consulting conducts HIPAA workshops for MSPs and has a referrals program for partners. Visit www.semelconsulting.com for more info.

Will Misunderstandings Around The HIPAA Conduit Exception Rule Result In Organizations Failing The Phase 2 Audits?

Posted on December 14, 2015 I Written By

The following is a guest blog post by Gene Fry from Scrypt, Inc.
Gene Fry - HIPAA Expert
In January 2013, the HHS defined the ‘conduit exception’ as part of the HIPAA Omnibus Final Rule, which was created to strengthen the privacy and security protections for health information.

The HIPAA conduit exception rule is applicable to providers of conduit services who do not have access to protected health information (PHI) on a routine basis. This means that they do not have to sign a Business Associate Agreement (BAA). However, some providers who do not fall under this definition are still claiming that they are HIPAA compliant. It is crucial that healthcare organizations understand exactly what this rule means, and how it may affect them if selected for an audit, or if a breach should occur.

What is a HIPAA Business Associate Agreement?
There are a number of providers who state they offer HIPAA compliant solutions for transmitting or storing PHI, and yet they are unwilling to sign a BAA.

As stated in the HIPAA Privacy and Security Rules, a business associate is defined as:

“[a] Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires access on a routine basis to such protected health information.”

Therefore, any organization or business that handles personal health information is considered to be a business associate and must sign a BAA. As this acts as a contract between a HIPAA covered entity and a business associate, without one, the provider is not accountable for protecting the PHI it is handling or transmitting – meaning that they are not HIPAA compliant.

Phase 2 HIPAA audits are due to begin in early 2016, and the transmission and storage of PHI is likely to be an area that the Office of Civil Rights (OCR) focus on as a result of large numbers of noncompliance being reported in the phase 1 audits conducted in 2012. While the phase 1 audits applied only to covered entities, in this round, business associates will also be subject to audits by OCR. This means that business associates can be held accountable for data breaches, and penalized accordingly for noncompliance.

Every covered entity must have a BAA in place with the organization responsible for PHI managed on their behalf. Without it, like a weak link in the chain, the whole system becomes noncompliant.

When does the exception rule apply?
There are instances where the HIPAA conduit exception rule does apply. For entities that simply transport or transmit PHI (such as the United States Postal Service, couriers, and their electronic equivalents) who do not have routine access to PHI other than infrequently or randomly, and disclosure of the PHI to such entity is not intended, the HIPAA conduit exception rule is likely to apply.

The rule is rather confusing and open to interpretation when it comes to electronic protected health information (ePHI), as occasional, random access by a data transmission entity does not necessarily make the entity a HIPAA business associate. An example of an organization which would not require a BAA would be an ISP, as they review whether ePHI being transmitted over its network is arriving to its intended destination, but do not access or store the data.

Random or infrequent access defined by the HIPAA rules is explained in the preamble to the rules, which explicitly states that the “mere conduit” exception, is intended to include organizations that deal with “any temporary storage of transmitted data incident to such transmission.” It is the ‘temporary storage’ terminology used in the rule that healthcare organizations often misinterpret.

The preamble defines the distinction between transmission (including incidental storage associated with such transmission) and ongoing storage. The difference between those two situations “is the transient versus persistent nature of” the opportunity to access PHI. This means that a data storage company that has access to PHI still qualifies as a business associate, even if the entity does not view the information – or only does so on a random or infrequent basis.

Be wary of providers who refuse to sign a BAA
If a provider is unwilling to sign a BAA, the advice from David Holtzman of the U.S. Health and Human Services Department’s Office for Civil Rights, Privacy Division, is “If they refuse to sign, don’t use the service”.

However, providers are citing the HIPAA conduit exception rule as the reason that a BAA is not required. By stating that they are acting as a ‘simple conduit for information’, they are stipulating that they are excluded from the definition of a business associate. This effectively absolves the provider of signing a BAA, and gets them off the compliance hook, while putting their customers at risk of not being compliant.

An entity that manages the transmission and storage of PHI, such as a HIPAA compliant cloud hosting company, or a HIPAA compliant fax or messaging provider does have more than “random access” to PHI – meaning that they do meet the definition of a HIPAA business associate. Any organization that is transmitting and receiving information that includes PHI falls into the category of business associates – and should be willing to sign a BAA.

Some providers will not sign a BAA because they claim to only offer what they call a “conduit service” – technically making them able to state that they are HIPAA compliant, although this is untrue in many cases. In addition to offering services that relate to the transmission and storage of PHI, they may also include a guarantee that they will disable automatic forwarding of messages to email, disable SMS texting, and will delete all faxes, voicemails and recordings after a short period to get out of signing the BAA.

Providers who offer a range of telecommunications services – some of which are purely conduit – may also refuse to sign a BAA for customers only requiring data transmission services due to the fact that their fax and SMS services are not actually HIPAA compliant. Again, these providers claim that they are HIPAA compliant because they can provide purely conduit services as part of their offering.

How can I ensure compliance when selecting a provider?

  • Never select a provider who is unwilling to sign a BAA.
  • Be wary of providers who refer to the HIPAA conduit exception rule if they will have access to ePHI – even if it is random or infrequent
  • Ask the provider to prove its track record of safeguarding ePHI
  • Check that the provider is able to demonstrate that their staff are trained in HIPAA compliance

When selecting a provider, if they are truly HIPAA compliant, they will sign a business associate agreement because they are required to, and they should demonstrate a willingness to comply. A BAA acts as the a contract between a HIPAA covered entity and a business associate, and without one, the provider is not accountable for protecting the PHI it is handling or transmitting – meaning that they are not HIPAA compliant. Be wary of organizations that hide behind the conduit exception rule, or you may find your organization bears the brunt of OCR audits should a breach occur.

About Gene Fry
Gene joined the Scrypt, Inc. family in October of 2001. He has 25 years of IT experience working in industries such as healthcare and for companies based in the U.S. and in Latin America. Gene is a Certified HIPAA Professional (CHP) through the Management and Strategy Institute. In addition, he is certified as a HIPAA Privacy and Security Compliance Officer by the Identity Management Institute, as an Electronic Health Record Specialist Certification (CEHRS™) through the National Health Career Association and he holds a Gramm-Leach Bliley Act (GLBA) certification from BridgeFront and J.J Kellers.  In his spare time, Gene rides a Harley Davidson as part of the Austin, Texas Chapter.