Cloud Storage Providers & BAAs – Where is Your Data?

(December 30, 2014): In a recent webinar presentation, I was asked whether I believed one of the many file sharing services that are available, was adequately encrypted. After investigating some of the particulars, the answer to that question was “yes”, but the answer raised more questions as to what else the Cloud Service Provider (CSP) may or may not have done to secure and protect the health care provider’s electronic Protected Health Information (ePHI) from loss, misuse, unauthorized access, disclosure, alteration and destruction. This paper addresses some of those issues.

Presently, there are no uniform CSP industry standards or best practices in place on how to best secure ePHI, and as some states like Texas additionally require, confidential information Encryption at the 256-bit banking level meets standards referenced in the HIPAA Technology Safeguards Rule , but this is not the only risk with CSPs. Knowing where your data will be stored is vital to HIPAA breach security and to modifying your BAA to best prevent any unauthorized access, transfers or use of ePHI.

I. Where are the CSP’s Servers Located?

This is a critical question. Frequently, CSP services require their new clients to sign off on the CSP’s Business Associate Agreement (BAA), before cloud services can begin. On the surface, this seems like a good idea and is even a convenience for the health care provider, but is it really? Each Covered Entity health care provider and each Business Associate Cloud Service Provider has a separate and overlapping duty under the HIPAA Final Omnibus Rule as modified by the HITECH Act, to maintain a BAA. This means both entities have their own BAA and can request the other entity to sign it. You may choose to sign and use the CSP’s BAA and abide solely by its terms, but the CSP’s BAA language will control.

Why is this important? The CSP’s BAA is written from their own point of view. The CSP’s primary interest is flexibility to move large amounts of data from location to location as needed to maximize efficient use of space. This is, after all, what they are selling. The CSP considers things like data overflow, backup data, and emergency rollovers in the event of equipment or power failure, fire, earthquake and the like. To accommodate these factors the, CSPs often scatter their servers geographically to multiple locations. Some may even be beyond the borders of the continental United States. They might also subcontract their cloud storage services to other CSPs overseas. Both scenarios create a problem for the health care provider.

Once your ePHI leaves the borders of the United States, you lose control over it and remember that if a breach occurs that the Health and Human Services Department’s Office of Inspector General (HHS-OIG) deems preventable, you could be liable for up to $50,000 per incident in Civil Monetary Penalties. You could also find yourself without a remedy. If the service contract is enforceable in Bangladesh for instance, you could have a contract in hand but no way to enforce it. American law might not apply or in some countries like India, it could take 25 years for your case to reach a judge.

II. Using the BAA to Control the Location and Means of Storing Your ePHI:

A. Using your BAA - The health care provider’s primary interest is to maintain control over its patients’ ePHI as much as possible, and that means specifying in your own BAA that your data shall not be received, transmitted, backed up or stored on any server not located within the borders of the continental United States, or it if should be transferred overseas by accident, mistake or negligence, that the CSP must notify you and recover, remove, delete or destroy the information (at your option), within a reasonable length of time such as 48 hours (a weekend). Rather than trying to force the CSP to change their own BAA agreement to incorporate your needs and concerns (an unlikely task), it is simpler to rely on your own right to a BAA and modify it accordingly for a reciprocal signature.

B. Document Refusal by the CSP - If finding another provider is not a practical alternative for you, and you’ve already signed the CSP’s BAA, you can try and get them to modify their own BAA or use your own BAA in a reciprocal signing. Should the CSP refuse to modify their own BAA agreement to accommodate your concerns, which is most likely, or if the CSP verbally agrees then refuses to sign off on the changes, or refuses to sign your version of the BAA, then you should document that refusal by saving the CSP’s e-mail response, fax response, or send them an e-mail memorandum describing the time, date, persons engaged in the conversation, and content of the telephone conversation as you understood it. Include a written opportunity for them to make any additions or changes the memo if they disagree with the content. This is your proof to HHS and your State’s Medicaid enforcement agency, (HHSC in Texas), that you anticipated the issue and affirmatively tried to put policies, procedures or contract provisions in place to prevent this potential breach issue, but the business associate refused to comply. In the event of a server location related breach, this puts the burden of proof and fault back on the CSP as responsible party and helps insulate you from possible Civil Monetary Penalties in the event of such a breach. Because of changes in BAA law by the Omnibus Rule, Covered Entities are now responsible for breach actions by their Business Associates, so this is even more important than it was previously.

III. Additional Liability for HIPAA violations under the ACA:

When the Affordable Care Act was passed more than 4 years ago on March 23, 2010, it mandated that every health care provider shall have and maintain a compliance plan. Even though the Secretary of Health and Human Services, Sylvia Mathews Burwell, has not yet set a final deadline date for most providers to have a plan in place, the mandate is well established and could be set at any time. While the date is not certain, the outcome is. Compliance Plans are now mandatory, and inevitable. Every health care service provider should be actively working to get their plan updated now. Health Care Service Providers should understand that the Office of Inspector General is already enforcing the compliance plan mandate in HIPAA breach situations, by charging the provider knew or reasonably should have known of the breach risk and failed to have effective policies and procedures in place to prevent it.

IV. Conclusion:

As a covered entity and health care services provider the burden is on you to anticipate problems with business associates you do business with and plan for these problems as best you can. For these reasons, it’s imperative to read all of your contracts carefully. This holds true for your Medicare and Medicaid provider agreement and it holds true for your private payor insurance carriers. If you have a health care related legal issue, administrative appeal or compliance problem, please contact Liles Parker for a free consultation at 1 (800) 475-1906

Pecore, Richard
Richard Pecore, Esq., serves as an Associate at Liles Parker, Attorneys & Counselors at Law. Liles Parker attorneys represent health care providers and suppliers around the country in connection with Medicare audits by RACs, ZPICs and other CMS-engaged specialty contractors. The firm also represents health care providers and medical billers in regulatory compliance reviews, HIPAA Omnibus Rule risk assessments, privacy breach matters, and State Medical Board inquiries. For a free consultation, call Richard at: 1 (800) 475-1906