Page 19 - Delaware Medical Journal - November 2017
P. 19
CYBERSECURITY
���������������������������������������������
of ePHI.3 For physicians, compliance with the Security Rule can be time consuming and costly. So how can partnering with a CSP help reduce the burden? It depends.
As an initial matter, physicians must understand the nature of their relationship with a CSP – both from a legal and an IT perspective. From a legal perspective, a CSP that maintains, creates, receives, or transmits ePHI is considered a “business associate,” and therefore, is subject
to HIPAA.4 The health care provider
and CSP are required to enter into a HIPAA-compliant business associate agreement (BAA).5 The BAA establishes the permitted and required uses and disclosures of ePHI by the CSP and, perhaps more importantly, requires
the CSP to appropriately safeguard the covered entity’s ePHI by implementing the requirements of the HIPAA Security Rule.6
Additionally, the CSP is required to identify and respond to suspected or known security incidents (which includes the attempted or successful unauthorized ���������������������������������������
or destruction of information or interference with system operations in an information system); mitigate, to the extent practicable, harmful effects of security incidents that are known
to it; and document security incidents and their outcomes.7 Finally, the CSP is required to report to the covered entity any data security incidents of which it becomes aware.8
Clearly, the CSP, by agreeing to handle ePHI, assumes a great deal of compliance responsibility. The health care provider, however, remains subject to HIPAA’s Security Rule. In order to determine
its own compliance obligations when
using a CSP, a health care provider must
��������������������������������������
of the cloud service or product under consideration. For example, a CSP may assume responsibility for security of
the cloud (i.e. security of the over the Internet networks and databases), but
not security in the cloud (i.e. security
of the health care provider’s operating system and applications). The health care provider should retain an independent IT consultant to evaluate the features of a cloud service so that it can appropriately analyze all associated security risks.9
The health care provider must then use
its risk assessment analysis to establish appropriate risk management safeguards.10 The BAA should also incorporate the results of the health care provider’s risk analyses, and its formal risk management policies. The CSP and health care provider are free to include in the BAA terms that �������������������������������������������� of the parties so long as the terms are not inconsistent with HIPAA.11 For example, the BAA could require the CSP to provide to the health care provider documentation regarding its own security audits, risk analyses, and risk management policies
— which the CSP is not required to share with the health care provider under HIPAA. The parties can also agree, in certain circumstances, that one party is responsible for satisfying for both parties certain requirements set forth in the HIPAA Security Rule.
Physicians considering or using cloud computing services must understand
that a CSP cannot eliminate all threats and vulnerabilities. CSP’s can suffer power outages, hardware failures, and ransomware attacks. A physician must consider all risks associated with the particular cloud service or product it uses. Unfortunately, the U.S. Department of Health and Human Services does
not endorse, certify, or recommend any particular cloud computing technology or product. Before engaging a CSP, physicians must conduct their own due diligence and consult both IT and legal experts to ensure ��������������������������������������� HIPAA. While cloud computing services do not entirely eliminate the burden of HIPAA’s Security Rule, they can in some cases reduce the cost.
CONTRIBUTING AUTHOR
■ RYAN T. KEATING, Esq. is an attorney with Morris James, LLP. He counsels medical institutions and professionals on their compliance obligations under HIPAA’s Privacy and Security Rules, and has experience leading data security breach investigation and response.
1. Gartner, Inc. Gartner Reveals Top Predictions for IT Organizations and Users for 2016 and Beyond. October 6, 2015. Available at: http:// www.gartner.com/newsroom/id/3143718. Accessed September 29, 2017.
2. U.S. Department of Health and Human Services. Guidance on HIPAA & Cloud Computing. October 7, 2016 Available
at: https://www.hhs.gov/hipaa/for- professionals/special-topics/cloud- computing/index.html. Accessed September 29, 2017.
3. 45 Code of Federal Regulation § 164.302- 164.318.
4. 45 Code of Federal Regulation. §160.103.
5. 45 Code of Federal Regulation. § 164.502(e).
6. 45 Code of Federal Regulation § 164.504(e).
7. 45 Code of Federal Regulation § 164.504(e) (2)(ii)(B).
8. 45 Code of Federal Regulation § 164.504(e) (2)(ii)(C).
9. 45 Code of Federal Regulation §§ 164.308(a) (1)(ii)(A); 164.308(a)(1)(ii)(B); and 164.502.
10. 45 Code of Federal Regulation §§ 164.308(a)(1)(ii)(A); 164.308(a)(1)(ii)(B); and 164.502.
11. 45 Code of Federal Regulation § 164.504(e).
Del Med J | November 2017 | Vol. 89 | No. 11
339
