(December 30, 2014): In a recent webinar presentation, I was asked whether I believed one of the many file sharing services that are available, was adequately encrypted. After investigating some of the particulars, the answer to that question was “yes”, but the answer raised more questions as to what else the Cloud Service Provider (CSP) may or may not have done to secure and protect the health care provider’s electronic Protected Health Information (ePHI) from loss, misuse, unauthorized access, disclosure, alteration and destruction. This paper addresses some of those issues.
Presently, there are no uniform CSP industry standards or best practices in place on how to best secure ePHI, and as some states like Texas additionally require, confidential information Encryption at the 256-bit banking level meets standards referenced in the HIPAA Technology Safeguards Rule , but this is not the only risk with CSPs. Knowing where your data will be stored is vital to HIPAA breach security and to modifying your BAA to best prevent any unauthorized access, transfers or use of ePHI.
II. Using the BAA to Control the Location and Means of Storing Your ePHI:
A. Using your BAA - The health care provider’s primary interest is to maintain control over its patients’ ePHI as much as possible, and that means specifying in your own BAA that your data shall not be received, transmitted, backed up or stored on any server not located within the borders of the continental United States, or it if should be transferred overseas by accident, mistake or negligence, that the CSP must notify you and recover, remove, delete or destroy the information (at your option), within a reasonable length of time such as 48 hours (a weekend). Rather than trying to force the CSP to change their own BAA agreement to incorporate your needs and concerns (an unlikely task), it is simpler to rely on your own right to a BAA and modify it accordingly for a reciprocal signature.
B. Document Refusal by the CSP - If finding another provider is not a practical alternative for you, and you’ve already signed the CSP’s BAA, you can try and get them to modify their own BAA or use your own BAA in a reciprocal signing. Should the CSP refuse to modify their own BAA agreement to accommodate your concerns, which is most likely, or if the CSP verbally agrees then refuses to sign off on the changes, or refuses to sign your version of the BAA, then you should document that refusal by saving the CSP’s e-mail response, fax response, or send them an e-mail memorandum describing the time, date, persons engaged in the conversation, and content of the telephone conversation as you understood it. Include a written opportunity for them to make any additions or changes the memo if they disagree with the content. This is your proof to HHS and your State’s Medicaid enforcement agency, (HHSC in Texas), that you anticipated the issue and affirmatively tried to put policies, procedures or contract provisions in place to prevent this potential breach issue, but the business associate refused to comply. In the event of a server location related breach, this puts the burden of proof and fault back on the CSP as responsible party and helps insulate you from possible Civil Monetary Penalties in the event of such a breach. Because of changes in BAA law by the Omnibus Rule, Covered Entities are now responsible for breach actions by their Business Associates, so this is even more important than it was previously.
III. Additional Liability for HIPAA violations under the ACA:
When the Affordable Care Act was passed more than 4 years ago on March 23, 2010, it mandated that every health care provider shall have and maintain a compliance plan. Even though the Secretary of Health and Human Services, Sylvia Mathews Burwell, has not yet set a final deadline date for most providers to have a plan in place, the mandate is well established and could be set at any time. While the date is not certain, the outcome is. Compliance Plans are now mandatory, and inevitable. Every health care service provider should be actively working to get their plan updated now. Health Care Service Providers should understand that the Office of Inspector General is already enforcing the compliance plan mandate in HIPAA breach situations, by charging the provider knew or reasonably should have known of the breach risk and failed to have effective policies and procedures in place to prevent it.
As a covered entity and health care services provider the burden is on you to anticipate problems with business associates you do business with and plan for these problems as best you can. For these reasons, it’s imperative to read all of your contracts carefully. This holds true for your Medicare and Medicaid provider agreement and it holds true for your private payor insurance carriers. If you have a health care related legal issue, administrative appeal or compliance problem, please contact Liles Parker for a free consultation at 1 (800) 475-1906