Under the Final Rule, as previously discussed, business associates must comply with the technical, administrative, and physical safeguard requirements under the Security Rule. Liable for violations under the Security Rule, a business associate must comply with use or disclosure limitations in its contract, as well as limitations expressed in the Privacy Rule. A business associate is a person or entity that creates, receives, maintains, or transmits protected health information (PHI) in fulfilling certain functions or activities for a HIPAA covered entity. The Final Rule clarifies that an entity that maintains PHI for a covered entity (e.g. storage data company) is a business associate. The definition of a business associate expressly includes health information organizations, e-prescribing gateways, and other persons that provide data transmission services with respect to PHI and require “routine access” to PHI (e.g. PHR vendors that provide services to covered entities). In addition, business associate liability flows to any subcontractors and downstream entities that work at the direction of or on behalf of a business associate and handle PHI.
In all health care sectors, new delivery models (e.g., EHRs, HIEs, ACOs, telemedicine) and evolving technologies (e.g., cloud computing, mobile devices, interactive and social media) are driving the increased use of third-party vendors. Third parties are entrusted with patient personal information and PHI. Cloud computing is one area where covered entities are entrusting patient information with vendors. Health care providers are implementing cloud EHRs, ePrescribing and IT health service desks. Health care payors are placing outcomes-based research and analytic applications in the cloud. Pharma/drug providers are consolidating systems in the cloud. Human resources for various health care entities are implementing cloud human resources consolidated systems, including regarding employee benefits.
Regarding cloud service providers specifically, under the Final Rule, a cloud service provider is a business associate if the data is maintained in the performance of its function. The cloud service provider is a business associate even if the agreement with the covered entity does not contemplate any access, or where access is only on a random or incidental basis. Under the Final Rule, the test is persistence of custody – not the degree (if any) of access. Prior to the Final Rule, cloud providers relied on the conduit exception. Under the Final Rule, the conduit exception only includes courier services that transport information (persistent vs. transient opportunity to access PHI). As such, covered entities must ensure that their cloud service providers are safeguarding patient information.
At the OCR/NIST 6th Annual Conference on Safeguarding Health Information: Building Assurance through HIPAA Security, the following issues were recommended for covered entities to address with their cloud computing vendors (and business associates generally):
- Where is PHI located?
- How are breach risks minimized? Does the vendor have an incident response plan?
- How is breach notification prevented? Does the vendor encrypt data at rest and in transit?
- Does the vendor have an incident response plan?
- How does the vendor track access to and modifying of PHI? Is there audit logging and monitoring?
- Does the vendor segregate data to prevent unauthorized access to and disclosure of PHI?
- How is PHI disposed of at the end of the contract? What is the vendor’s policy and procedure on data retention and destruction?
- How does the vendor prevent the threat of knowledgeable insiders? Does the vendor have internal security procedures (e.g. employee background checks, training, method for monitoring physical and logical access)?
In order to monitor business associates, post Final Rule, health care industry trend demonstrates that covered entities are adding pre-contract risk/controls assessments, enhancing contractual safeguards and business associate agreements, and adding/enhancing post-contract audits. With liability flowing downstream, covered entities and business associates must complete their due diligence before entering into contracts with vendors who may maintain PHI.