What do ransomware, Yelp, and website tracking technologies all have in common? They are troubling areas of concern for HIPAA covered entities and business associates, according to one official from the federal Office for Civil Rights (OCR) which enforces the HIPAA privacy and security rules. Recently, the Executive Editor of Information Security Media Group’s (ISMG’s) HealthcareInfoSecurity.com media site, Marianne Kolbasuk McGee, sat down with Susan Rhodes, the OCR’s acting deputy for strategic planning and regional manager to discuss these issues.

We briefly summarize the discussion below, but you can access the short interview here (~10 min.). It is worth a listen.

Ms. Rhodes outlined three troublesome areas that OCR is watching closely:

  • Hacking/ransomware. Obviously, this continues to be a significant problem for the healthcare sector. According to Ms. Rhodes, ransomware attacks are up 278% in the last 5 years. Developing, maintaining, and practicing an incident response plan is one important tool for dealing with these and other attacks.
  • Online reviews. Negative comments made by customers/patients on popular online review services, such as offered by Yelp and Google, can be upsetting for any small business. Practitioners in the health care sector, such as physicians, dentists, etc. have to be particularly careful when responding to patient complaints on such platforms, if they respond at all. Their responses could result in the wrongful disclosure of protected health information of their patients, resulting in significant OCR enforcement actions such as occurred here and here.
  • Website tracking technologies. Calling this a “hot” area and referencing OCR investigations across the country, Ms. Rhodes directed listeners to the OCR guidance on tracking technologies issued in December 2022. Specifically, she reminded HIPAA covered entities of key considerations when using website tracking technologies including, without limitation, the potential need for business associate agreements and patient consent.

Ms. McGee also inquired about areas where covered entities and business associates’ HIPAA compliance frequently falls short. Ms. Rhodes mentioned a few:

  • Risk analysis – which is foundational to the policies and procedures adopted by covered entities and business associates.
  • Access controls – in short, making sure employees and other workforce members at the covered entity or business associate only have access to the PHI needed to perform their job.
  • Audit controls – regularly reviewing system activity, log files, etc. to identify irregular activity or potential compromises to PHI.

The HIPAA privacy and security rule continue to raise significant compliance challenges for covered entities and business associates. It is important to those that those challenges do not just exist in the physician’s office, but must be managed on line as well, including on organizations’ website.

We have been quite busy this October, which happens to be National Cybersecurity Awareness Month. But, we did not want to let the month go by without some recognition; and we are grateful to the HHS Office for Civil Rights (OCR) for this always timely reminder for HIPAA covered entities and business associates – have a written incident response plan

Why do we need another policy?

First, because it is required under the HIPAA Security Rule. See 45 CFR 164.308(a)(6). Also, because cybersecurity risks continue to rise. The OCR notes that cybersecurity incidents and data breaches continue to increase in the healthcare sector, citing a 69% increase in cyber-attacks for the first half of 2022 compared to 2021. Breaches of unsecured protected health information (PHI), including electronic PHI, reported to OCR affecting 500 or more individuals increased from 663 in 2020 to 714 in 2021.

Fine, so what does an incident response plan need to include?

The OCR describes some basic elements that should be included in an incident response plan (IRP):

  • identifying security incidents;
  • responding to security incidents;
  • mitigating harmful effects of security incidents; and
  • documenting security incidents and their outcomes.

As we get more specific below, note that each covered entity and business associate is different in several respects, such as size, number of locations, information systems, prior experience, cyber insurance policies, type of PHI, and state laws, just to name a few. So, your specific IRP may vary in significant ways, but these are four critical elements to address for your particular business and practice.

Can you be more specific?

Sure. The organization will want to think about who will be doing the responding – who is on the “security incident response team.” This is a team that is organized and trained to effectively respond to security incidents. OCR offers several areas to consider when forming a team, such as:

  • Have a strong balance of skill sets among team members (IT, legal, communications, etc.)
  • Ensure lines of communication will be available among team members during a crisis
  • Consider external parties that can provide specific expertise concerning incident response
  • Commit to regularly practicing incident response procedures for different types of attacks.

With a team established, the plan should provide for identifying security incidents. Of course, this requires knowing that a security incident is “the attempted or successful unauthorized access, use, disclosure modification, or destruction of information or interference with system operations in an information system .” One way to identify security incidents includes having audit logs in place and regularly reviewing them.

In the event of a security incident, the plan needs cover the steps for responding. This includes containing the security incident and any threat it may pose to ePHI, such as by identifying and removing any malicious code and mitigating any vulnerabilities that may have permitted the security incident to occur. However, to be better prepared to respond to security incidents, the plan should also include procedures such as:

  • Processes to identify and determine the scope of security incidents
  • Instructions for managing the security incident
  • Creating and maintaining a list of assets (computer systems and data) to prioritize when responding to a security incident
  • Conducting a forensic analysis to identify the extent and magnitude of the security incident
  • Reporting the security incident to appropriate internal and external entities
  • Processes for collecting and maintaining evidence of the security incident (e.g., log files, registry keys, and other artifacts) to determine what was accessed during the security incident

After the security incident has been neutralized, the next steps should include mitigation, including recovery and restoration of systems and data to return to normal operations. Mitigation efforts are facilitated through contingency planning, robust data backup, and recovery processes. These are areas that should not be thought about when a security incident occurs. For example, knowing that you have a backup is not enough, regularly making sure you are able to restore from backups while maintaining integrity is key. 

When these steps have been completed, particularly after operations have returned to normal, regulated entities must document their response to the security incident. This is required under HIPAA. The IRP can be helpful in outlining what information to include in the documentation (e.g., discovery of the security incident; systems and data affected; response and mitigation activities; recovery outcomes; root cause analysis; forensic data collected).

What about notification, shouldn’t that be part of the IRP?

Of course. The IRP should address the entity’s reporting obligations, whether to the affected individuals, the OCR, the media, state agencies, or a covered entity (for business associates). A critical aspect of notification is timing. For breaches affecting 500 or more individuals, notice is required without unreasonable delay and no later than 60 calendar days from the discovery of the breach. The OCR reminds regulated entities:

the time period [for reporting] begins when the incident is first known, not when the investigation of the incident is complete, even if it is initially unclear whether the incident constitutes a breach as defined in the rule. 

Further, 60 days is the outer limit for notification but,

in some cases, it may be an ‘unreasonable delay’ to wait until the 60th day to provide notification.

There is a lot more that can be said about IRPs, and it is not a good idea to wait until the next National Cybersecurity Awareness Month to craft one. Also, while directed to healthcare providers and their business associates, the same kind of planning is prudent for just about all organizations. 

IT Inventory & Asset Management | Device42 SoftwareLast week, in its Cybersecurity Summer Newsletter, the Office of Civil Rights (OCR) published best practices for creating an IT asset inventory list to assist healthcare providers and business associates in understanding where electronic protected health information (ePHI) is located within their organization, and improve HIPAA Security Rule compliance.  OCR investigations often find that organizations “lack sufficient understanding” of where all of their ePHI is located, and while the creation of an IT asset inventory list is not required under the HIPAA Security Rule, it could be helpful in the development of a risk analysis, and in turn and implementing appropriate safeguards – which are HIPAA Security Rule requirements. Essentially, if an organization doesn’t know what IT assets it has or where its ePHI is, how can it effectively assess the risks associated with those assets and information and protect them?

The lack of an inventory, or an inventory lacking sufficient information, can lead to gaps in an organization’s recognition and mitigation of risks to the organization’s ePHI.  Having a complete understanding of one’s environment is key to minimizing these gaps and may help ensure that a risk analysis is accurate and thorough, as required by the Security Rule.

In general, an organization’s IT asset inventory list consists of “IT assets with corresponding descriptive information, such as data regarding identification of the asset (e.g., vendor, asset type, asset name/number), version of the asset (e.g., application or OS version), and asset assignment (e.g., person accountable for the asset, location of the asset.”

The OCR Newsletter suggests including the follow types of assets in an organization’s IT asset inventory list:

  • Hardware assets that comprise physical elements, including electronic devices and media, which make up an organization’s networks and systems. This can include mobile devices, servers, peripherals, workstations, removable media, firewalls, and routers.
  • Software assets that are programs and applications which run on an organization’s electronic devices. Well-known software assets include anti-malware tools, operating systems, databases, email, administrative and financial records systems, and electronic medical/health record systems. Though lesser known, there are other programs important to IT operations and security such as backup solutions, virtual machine managers/hypervisors, and other administrative tools that should be included in an organization’s inventory.
  • Data assets that include ePHI that an organization creates, receives, maintains, or transmits on its network, electronic devices, and media. How ePHI is used and flows through an organization is important to consider as an organization conducts its risk analysis.

In addition, the OCR Newsletter recommends the inclusion of IT assets that don’t necessarily store or process ePHI, but that still may lead to a security incident, such as Internet of Things (IoT) or other smart devices.  For example, a recent study by Quocirca, a security research firm, found that approximately 60 % of businesses in in the U.S., U.K., France and Germany have suffered a IoT printer related data breach in 2019, with the average breach costing an organization approximately $400,000.

The OCR Newsletter also provides other cybersecurity-related and HIPAA compliance benefits an IT asset inventory list can provide, beyond the risk analysis. For example, HIPAA requires that covered entities and business associates “[i]mplement policies and procedures that govern the receipt and removal of hardware and electronic media that contain [ePHI] into and out of a facility, and the movement of these items within the facility”, which will be more efficient if the organization has IT asset inventory list that has location/owner/assignment information in place.  Moreover, an IT asset inventory list can aid an organization in identifying and tracking devices to ensure timely updates, patches and password changes.

HIPAA compliance is no doubt a significant challenge for large and small covered healthcare providers, and other covered entities and business associates, and data breaches are almost inevitable. Preparation of a comprehensive IT asset inventory, while not required, can go a long way in both ensuring HIPAA compliance, and preventing a security incident.  Below are some additional basic compliance measures:

  • Provide training and improve security awareness for workforce members when they begin working for the organization and periodically thereafter.
  • Maintain written policies and procedures that address required administrative, physical, and technical safeguards required under the Security Rule.
  • Maintain business associate agreements with all business associates.
  • Document compliance efforts.
  • Maintain and practice an incident response plan in the event of a data breach.

The Office for Civil Rights (OCR) has been moving swiftly to provide guidance on addressing key regulatory issues to aid in the fight to contain and defeat COVID-19. Some of the latest developments include exercising its enforcement discretion on certain good faith disclosures of protected health information (PHI) by business associates, adding FAQs for telehealth providers, and a resource page on its website for COVID-19 issues.

A common thread through all of the federal and state governmental briefings on the COVID-19 is that understanding the spread; managing healthcare personnel, equipment, and personal protective equipment (PPE); and other necessary resources requires data. Roger Severino, OCR Director, recognized the need for “quick access to COVID-19 related health data to fight this pandemic.” Because business associates have limitations on the circumstances under which critical data can be used and disclosed, despite the critical role they often play in storing and analyzing data, “[g]ranting HIPAA business associates greater freedom to cooperate and exchange information with public health and oversight agencies can help flatten the curve and potentially save lives,” Severino added.

The HIPAA Privacy Rule already permits covered entities to provide the kind of data that is needed, however, current regulations allow a HIPAA business associate to use and disclose PHI for public health and health oversight purposes only if expressly permitted by its business associate agreement with a HIPAA covered entity. It is common for business associate agreements to be drafted very narrowly, permitting only specified uses and disclosure. Thus, when federal public health authorities and health oversight agencies, state and local health departments, and state emergency operations centers have requested PHI from HIPAA business associates (i.e., a disclosure of PHI), or requested that business associates perform public health data analytics on such PHI (i.e., a use of PHI by the business associate) for the purpose of ensuring the health and safety of the public during the COVID-19 national emergency, some HIPAA business associates have been unable to timely participate in these efforts because their BAAs do not expressly permit them to make such uses and disclosures of PHI.

To address this issue, OCR announced that it will not impose penalties for violations of certain provisions of the HIPAA Privacy Rule against health care providers or their business associates for the good faith uses and disclosures of PHI by business associates for public health and health oversight activities during the COVID-19 nationwide public health emergency.

Specifically, the announcement provides that OCR will not impose penalties against a business associate or covered entity under certain Privacy Rule provisions if, and only if:

  • the business associate makes a good faith use or disclosure of the covered entity’s PHI for public health activities (see 45 CFR 164.512(b)), or health oversight activities (see 45 CFR 164.512(d)); and
  • the business associate informs the covered entity within ten (10) calendar days after the use or disclosure occurs (or commences, with respect to uses or disclosures that will repeat over time).

The OCR provides examples of good faith uses or disclosures:

  • the Centers for Disease Control and Prevention (CDC), or a similar public health authority at the state level, for the purpose of preventing or controlling the spread of COVID-19, consistent with 45 CFR 164.512(b).
  • the Centers for Medicare and Medicaid Services (CMS), or a similar health oversight agency at the state level, for the purpose of overseeing and providing assistance for the health care system as it relates to the COVID-19 response, consistent with 45 CFR 164.512(d).

It is important to note that while the OCR’s announcement provides some relief under HIPAA, it does not extend to other requirements or prohibitions under the Privacy Rule, or to any obligations under the HIPAA Security and Breach Notification Rules applicable to business associates and covered entities. This announcement also does not address other federal or state laws (including breach of contract claims) that might apply to the uses and disclosures of this information. Thus, business associates still need to be careful when using and disclosing PHI in these circumstances, although this announcement provides some welcomed relief and should aid the efforts to fight COVID-19.

Disclosing protected health information (PHI) to a business associate without a compliant business associate agreement (BAA) is an improper disclosure under the HIPAA privacy and security regulations. According to the HHS Office for Civil Rights (OCR), an error like that can cost a small healthcare provider $31,000.

OCR recently announced a resolution agreement (pdf) with the Center for Children’s Digestive Health, S.C. (CCDH), a “small, for-profit health care provider with a pediatric subspecialty practice that operates its practice in seven clinic locations in Illinois.” According to the resolution agreement, OCR apparently learned of the missing BAA while investigating CCDH’s file storage vendor, FileFax, Inc., which stored CCDH’s PHI. Responsible for enforcing the privacy and security rules under HIPAA, OCR then commenced a compliance review of CCDH. It reported finding that neither CCDH nor FileFax could produce a signed BAA applicable to periods that CCDH had shared PHI with FileFax.  Without an admission of liability, CCDH agreed to resolve the matter by paying $31,000 and agreeing to comply with a comprehensive Corrective Action Plan (CAP).

The Health Information Technology for Economic and Clinical Health (HITECH) Act made a number of changes to HIPAA, including to the rules concerning “business associates.” Among those changes were updates to BAAs that the HIPAA rules require covered entities to maintain with their business associates. A covered entity’s business associates include third-party service providers, such as: claims administrators, accounting firms, law firms, consultants, cloud and other data storage providers.

The regulations make clear that even though business associates are directly subject to many of the HIPAA privacy and security requirements, BAAs remain necessary for compliance. A starting point for BAA compliance is the set of sample provisions posted by the OCR. However, there are other issues that parties to a BAA will want to address, such as: specificity concerning the safeguards that should be in place, data breach coordination and response, indemnity, cybersecurity insurance, and agency status. More information about business associates and BAAs can be accessed here.

Covered entities also should remember that the HIPAA regulations are not the only rules that require written assurances from third-party service providers concerning security of personal information. A number of state laws (e.g., California, Massachusetts, Maryland, New Mexico, New York, Oregon) require businesses to have contracts with third-party service providers to safeguard personal information. Of course, even in the absence of a federal or state law, taking steps to ensure vendors secure the confidential information they are provided, such as through a detailed data security agreement, is a prudent practice.

News reports of security risks, hackings and breaches caused by individuals, terror groups or even countries around the world certainly are important and can be unsettling. But, for many organizations, including healthcare providers and business associates, a significant and perhaps more immediate area of data risk rests with an organization’s workforce members. An organization’s information technology (IT) department can do a tremendous job securing the systems from outside intruders, however, relying too heavily on external risks at the expense of internal risks can be problematic for any healthcare practice or healthcare industry vendor. Whether inadvertently or intentionally, employees are frequently the cause of improper uses or disclosures of patient data, putting the company at risk for a data breach, reputational harm, investigation by federal and state agencies, and litigation.

It is true that no system or set of safeguards is infallible; breaches are going to happen. However, here are some steps providers and business associates can take to reduce the risk that those breaches will be caused by members of the company’s workforce:

  • In-person Training. Many covered entities and business associates use on-line, “in-the-can” training products. These could be a valuable part of any training and awareness program, particularly for conveying general HIPAA privacy and security concepts. But there is no substitute for in-person training about the provider’s own policies as applied to the day-to-day circumstances of that practice or business. Employees need to ask questions and hear how policies interact with their particular job responsibilities to best understand some of the nuances in applying HIPAA and applicable state laws and privileges. The Texas Medical Records Privacy Act (the state’s “mini-HIPAA” law), for example, does not mandate in-person training, but it does require at Section 181.101 that training address “state and federal law concerning protected health information as necessary and appropriate for the employees to carry out the employees’ duties for the covered entity.” It is important to make training real, practical and regular. In many cases, it is the more senior employees, physicians and nurses, who could benefit most from such training.
  • Enhance Monitoring. All the training in the world will not protect an organization from an employee who is intent on taking information or improperly accessing information. For example, the employee might be trying to find out information about the diagnosis or drug use of a family member, or the employee may be in fear of losing his or her job and want to collect evidence for subsequent litigation. Other employees may want to steal patient/customer information for a new business, or commit medical identity theft which is reported to be growing rapidly. Implemented carefully and responsibly, monitoring systems activity can be an excellent tool for helping the organization to mitigate and in some cases stop data loss.
  • Manage Devices. The flood of new and more powerful devices carried by employees is a headache for any Privacy Officer. But some of the risks could be relieved through careful planning and policies. Consider the following: (i) should all devices be permitted, (ii) if so, what mobile device management solution, if any, should be used; (iii) which employees should be permitted to use devices at the workplace, and what should they be permitted to access; (iv) what happens to the device when the employee is terminated or purchases a new device; (v) do employees have to be reimbursed for the cost of the device or the data service; and (vi) do we have any labor law considerations, whether or not the workforce is unionized.
  • Plan for a Breach. As noted above, breaches are going to happen, so plan and run drills. Even if on a single page, have a checklist for responding that addresses such things as – who should be involved in the response process, who will coordinate the investigation and ensure systems are secure, what vendors can the organization call upon (legal, forensic, etc.), insurance contacts and requirements, and who makes decisions on such things, as whether to notify, who to notify, and what to say in the notice. Employees hear about these incidents, but many do not have a feel for what a breach is, how to report internally, the steps involved, and how quickly the organization must respond.
  • Assess Confidence in IT Staff. For many practices, it likely is easier to assess a surgeon’s competence than the competence of the practice’s IT director. Often the owners of a healthcare practice do not find this out until it is too late. The business should take steps to ensure it has the right team in this critical department. In some cases, it may need to have an outside vendor assess the performance of its internal team.

Could your healthcare practice or business become the target of an external attacker? Yes. Is it likely? Probably not as likely as an internal incident. The steps outlined above are not exhaustive, and do not promise HIPAA compliance. They are, however, sensible best practices to help avoid inadvertent and intentional activities inside the organization that can cause a data privacy or security incident.

I recently had the pleasure of speaking to a great group at the Connecticut Assisted Living Association (CALA) about HIPAA and a range of related practical issues. Many covered entities and business associates, particularly those that are small businesses, continue to work on understanding the privacy and security standards, and how to best apply them in their businesses and with their varied workforces. Compliance can be challenging, but it is important to get started and document the compliance steps taken. Here are some reminders about HIPAA privacy and security compliance:

  • Risk assessment. This is a critical step required under the security regulations. Many covered entities and business associates focus first on written policies and procedures to safeguard protected health information (PHI). But those policies and procedures need to address the risks and vulnerabilities to PHI, which can only be determined through an appropriate risk assessment. Of course, organizations need to continually assess their risks and vulnerabilities as their businesses change and grow.
  • Business Associate Agreements. The Health Information Technology for Economic and Clinical Health (HITECH) Act made a number of changes affecting “business associates.” Among those changes were updates to the “business associate agreements” that the HIPAA Rules require covered entities to maintain with their business associates, which could include claims administrators, consultants, cloud and other data storage providers. The final HIPAA regulations established a transition rule that permitted covered entities and business associates to continue to operate under certain existing business associate agreements for up to one year beyond the compliance date of the final regulations (September 23, 2013). That transition period ends this month. Accordingly, it is critical that business associate agreements be updated.A starting point for business associate agreement compliance is the set of sample provisions posted by the Office of Civil Rights. However, there are other issues that parties to the business associate agreement will want to address, such as, data breach coordination and response, indemnity, and agency status. Additionally, a number of state laws (e.g., California, Massachusetts, Maryland) require businesses to have contracts with third-party service providers to safeguard personal information, which likely will include information in addition to protected health information under HIPAA.
  • Data Breach Preparedness. Data breaches continue to happen across the country, exposing vast amounts of sensitive data. HIPAA regulations and laws in 47  states require a number of steps to be taken when a breach happens including notifying the affected individuals and certain governmental agencies. Absent a plan for responding, companies often find themselves ill-prepared to respond timely, correctly and completely. Responding timely is particularly important for avoiding an inquiry from a federal or state agency concerning a data breach. Having a plan and practicing that plan can significantly enhance a company’s ability to respond and minimize its exposure following a breach.
  • OCR AuditsIt is expected that the Office for Civil Rights, which enforces the HIPAA privacy and security rules, will be resuming its audit program this fall – which applies to both covered entities and business associates. There are many steps covered entities and business associates can take to be audit ready. Good documentation is one of the most important. OCR wants to be able to see that the organization has taken steps to address the standards under the privacy and security rules. A documented risk assessment, written policies and procedures, and sign-off sheets showing workforce members went through HIPAA training are all examples of documentation an OCR investigator would be expecting to find as part of the audit.

Being “compliant” is no small task, especially as each business has its own particular needs, risks, vulnerabilities, environments, and circumstances that have to be considered. Compliance for an assisted living facility, for example, might look a bit different than it does for a large metropolitan hospital, but many of the fundamental principles are the same.  The key is to get started, understand the risks to PHI, address those risks in a manner appropriate to the organization (one hundred and fifty pages of policies and procedures is not appropriate for many organizations) and under each of the required standards, implement appropriate policies and procedures, and document.

The Department of Health and Human Services announced on February 24 that it is seeking information about conducting a pre-audit survey. That is, it plans to conduct a “survey of up to 1200 [HIPAA] covered entities (health plans, health care clearinghouses, and certain health care providers) and business associates (entities that provider certain services to a HIPAA covered entity) to determine suitability for the Office for Civil Rights (OCR) HIPAA Audit Program.” (emphasis added) Many covered entities and business associates will be wondering, of course, whether their compliance efforts are “suitable” to survive an audit.

In any event, the survey would gather information about size, complexity, and fitness of a covered entity or business associate for an audit. Questions in the survey likely will relate to data such as the number of patient visits or insured lives, use of electronic information, revenue, and business locations.

At this point, the survey is not on its way to you. The agency is seeking comments about (1) the necessity and utility of the proposed survey for the proper performance of its functions, (2) the accuracy of the estimated burden, (3) ways to enhance the quality, utility, and clarity of the information to be collected, and (4) the use of automated collection techniques or other technology to minimize the information collection burden. If you would like to submit comments on these issues, you can do so by emailing them to Information.CollectionClearance@hhs.gov to be received no later than April 25, 2014. You also can call (202) 690–6162.

Under the HITECH Act, business associates are subject to the HIPAA privacy and security rules (the "HIPAA Rules") virtually to the same extent as covered entities. In addition to implementing this change for business associates ("BAs"), and providing additional guidance concerning what entities are business associates, the final HIPAA regulations issued last week also treat certain subcontractors of BAs as BAs directly subject to the HIPAA Rules. As a result of some of these changes, covered entities and BAs need to re-examine the relationships with their subcontractors to ensure they obtain the appropriate satisfactory assurances concerning the "protected health information" (PHI) they make available to those subcontractors.

Below are some of the key points from the final regulations concerning BAs and subcontractors:

  • Subcontractors. The final HIPAA regulations provide that subcontractors that create, receive, maintain, or transmit PHI on behalf of a BA are business associates. This is a significant expansion of the application of the HIPAA Rules; it makes subcontractors directly liable under the HIPAA Rules.

As a result of this change, just as covered entities need to ensure that they obtain satisfactory assurances concerning compliance with the HIPAA Rules (usually in the form of a business associate agreement, BAA) from their BAs, BAs must do the same with regard to certain subcontractors. This must continue no matter how far “down the chain” the PHI flows.

  • Business Associate Agreement Not Necessary to Establish Status as Business Associate. The final HIPAA regulations confirm that persons and entities that meet the definition of a BA have that status regardless of whether a "business associate agreement" is in place.
  • Data Storage Companies. Entities that maintain PHI (digital or hard copy) on behalf of a covered entity are BAs, "even if [they] do not actually view the [PHI]."  This provision may create significant compliance issues for cloud service providers, as well as hard copy document storage companies, that have access to the records of their clients but may never look at them. The conduit exception is a narrow one and only applies transmissions of data, not storage. 
  • Certain Groups Not Considered Business Associates.
    • Researchers generally are not considered BAs when performing research functions.
    • Banking institutions generally are not considered BAs with respect to certain payment processing activities (e.g., cashing a check or conducting a funds transfer)
    • Malpractice insurers generally are not considered BAs when providing services related to the insurance, but may be BAs when providing risk management and similar services to covered entities.

Transition rule for compliance. A transition rule under the final HIPAA regulations permits covered entities and BAs to continue to operate under certain existing contracts for up to one year beyond the compliance date (September 23, 2013) of the final regulations. A qualifying business associate agreement will be deemed compliant until the earlier of (i) the date such agreement is renewed or modified on or after September 23, 2013, or (ii) September 22, 2014. This rule only applies to the language in the agreements, the parties must operate as required under the HIPAA Rules in accordance with the applicable compliance dates. 

Covered entities and business associates may want to act more quickly to identify and contract with those individuals and entities from whom they must obtain satisfactory assurances under HIPAA.

As more companies move to the cloud, regulatory compliance remains a critical issue. For cloud service providers to the healthcare industry, it looks like the requirement to comply with the HIPAA privacy and security rules as business associates will be confirmed when long-awaited final regulations are issued, based on a report by Marianne Kolbasuk McGee with Healthcare Information Security. According to Ms. McGee’s report, Joy Pritts, chief privacy officer in the Office of the National Coordinator for Health IT, a unit of the Department of Health and Human Services, addressed this issue during a Jan. 7 panel discussion on cloud computing hosted by Patient Privacy Rights.

Cloud service providers would prefer to take the position that they are conduits to protected health information, and therefore not business associates, similar to the US Postal Service, and certain private couriers and their electronic equivalents. See HIPAA FAQ.  A conduit transports information but does not access it other than on a random or infrequent basis as necessary for the performance of the transportation service or as required by law. However, HHS has already noted that "a software company that hosts the software containing patient information on its own server or accesses patient information when troubleshooting the software function, is a business associate of a covered entity." See HIPAA FAQ

According to Ms. Pritts’ remarks in the report cited above, it appears that the modifications made to HIPAA under the Health Information Technology for Economic and Clinical Health (the HITECH Act), along with anticipated regulatory guidance, will remove any doubt that cloud service providers servicing HIPAA covered entities are "business associates." This would require, among other things, that covered entities enter into business associate agreements with their cloud providers, and that standard confidentiality clauses likely will be insufficient. Of course, covered entities, practitioners and others are looking forward to these long awaited regulations to help clarify this and other issues.