An overview of how HIPAA regulation effects your organizations cloud storage. Read the full whitepaper at https://docs.google.com/document/d/12CfwkS7vuAd-GjJmx0ggXp1e9NETbywc9puh1lZvrt4/
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
HIPAA and the Cloud, an Overview by Mover.io
1. https://mover.io Revised: July 2, 2013
HIPAA and the Cloud
created by
Web: https://mover.io
Phone: +1-415-704-0901
Eric Warnke
CEO
eric@mover.io
Mark Fossen
CIO
mark@mover.io
2. https://mover.io Revised: July 2, 2013
Notice
• This information is offered purely as a summary of our research, and not as legal advice.
• We have striven to be accurate and we hope this document is useful.
• If you have any questions, concerns, or corrections, please let us know so we can improve
this document for others.
• View the full whitepaper here:
– https://docs.google.com/document/d/12CfwkS7vuAd-GjJmx0ggXp1e9NETbywc9puh1lZvrt4/
3. https://mover.io Revised: July 2, 2013
What is HIPAA?
• Created in 1996
• Enforced by the Office of Civil Rights in the United States Department of Health and Human
Services
• Ensures that Covered Entities (CE - Health plans, health care providers, and health care
clearinghouses) follow security and privacy standards when dealing with client‟s Protected
Health Information (PHI - most personal health information)
Health Insurance Portability and Accountability Act
4. https://mover.io Revised: July 2, 2013
Why is HIPAA Relevant?
• HIPAA recently added an „Omnibus Rule‟ on Jan 25, 2013
– This rule has redefined the term Business Associate (B.A.) when referring to Covered
Entities
– HIPAA regulations are now extended to many companies previously excluded
– All C.E.s and B.A.s must be compliant by September 23,2013
5. https://mover.io Revised: July 2, 2013
“Business Associates”
• Omnibus Rule:
– “We have modified the definition of „business
associate‟ to generally provide that a
business associate includes a person who
‘creates, receives, maintains, or transmits’
protected health information on behalf of a
covered entity.”
• As well, subcontractors of Business
Associates are now considered Business
Associates:
– “A subcontractor that creates, receives,
maintains, or transmits protected health
information on behalf of the business
associate.”
6. https://mover.io Revised: July 2, 2013
Business Associates & HIPAA
• BAs and their BAs are now expected to be HIPAA-compliant if they are handling PHI, even if
they are not aware of it.
• BAs handling PHI must have formal documentation (a Business Associate Agreement)
• Formal documentation covers:
– Permitted use and disclosures
– Requirement to use appropriate safeguards
– Requirement to report non-permitted uses and disclosures to the Covered Entity
– Requirement to extend same terms to subcontractors/agents
7. https://mover.io Revised: July 2, 2013
The Conduit Exception
• The only time a potential BA can avoid
HIPAA compliance is by being considered a
„conduit‟ instead:
– “A conduit transports information but does
not access it other than on a random or
infrequent basis as necessary to perform the
transportation service or as required by other
law.”
• The overall difference between a conduit
and a BA is the idea of the „persistent‟ vs.
„transient‟ nature of the service. This is
intended to be a very discriminating
exception.
• Conduit examples are the U.S Postal
Service and Internet Service Providers.
8. https://mover.io Revised: July 2, 2013
Reactions to HIPAA
• With the addition of „maintains‟ in the
Business Associate definition, most cloud
storage providers are now considered
Business Associates and must become
compliant if they wish to handle PHI legally.
• Providers have reacted in different ways,
from rejecting HIPAA to fully integrating it.
• More „enterprise-use‟ focused providers
have become compliant while more
„personal-use‟ providers have not.
9. https://mover.io Revised: July 2, 2013
Storage Provider Compliance
Some companies that provide entire platforms (eg. Amazon AWS) rather than pure storage
have passed over on full compliance but provide the tools necessary for users to be compliant.
HIPAA
Compliant
• Box
• Egnyte
• Microsoft
Indirect HIPAA
Compliance
• Amazon
• Google
Not HIPAA
Compliant
• Dropbox
• SugarSync
• Yandex
10. https://mover.io Revised: July 2, 2013
HIPAA and the Cloud
created by
Web: https://mover.io
Phone: +1-415-704-0901
Eric Warnke
CEO
eric@mover.io
Mark Fossen
CIO
mark@mover.io