HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013

1,920 views

Published on

Speaker: Phil Cox - Director of Security and Compliance, RightScale

On January 25, 2013, the U.S. Department of Health and Human Services (HHS) released the final implementing regulations for many provisions of the HITECH Act (Health Insurance Technology for Economic and Clinical Health Act), often referred to as the Omnibus Rule. Many organizations have based their architectures and implementations on previous proposed and interim regulations, some of which are no longer valid. Anyone falling under HIPAA requirements is required to meet these new definitive compliance requirements by September 23, 2013. This talk will discuss the parts of the Omnibus rule that affect the cloud landscape, and how you can successfully deploy a HIPAA-compliant application in the public cloud.

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,920
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
37
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • HIPAA in the Public Cloud: The Rules Have Been SetPhil CoxDirector Security and Compliance, RightScale
  • On January 25, 2013, the US Department of Health and Human Services (HHS) released the final implementing regulations for many provisions of the HITECH Act (Health Insurance Technology for Economic and Clinical Health Act), often referred to as the Omnibus Rule. This talk will discuss the parts of the Omnibus rule that affect the cloud landscape, and how you can successfully deploy a HIPAA compliant application in the public cloud.MAIN MESSAGE: Know how the Omnibus Rule affects you!
  • Today we will discuss three issues …
  • Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs.Title II of HIPAA, includes regulations for the use and disclosure of Protected Health Information (PHI), such as medical records and payment history. This is the portion that requires companies to make sure that medical information isn’t improperly shared or disclosed -- which impacts companies that have PHI in the cloud.
  • The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II) required the Secretary of HHS to publish national standards for the security of electronic protected health information (e-PHI), electronic exchange, and the privacy and security of health information.HIPAA called on the Secretary to issue security regulations regarding measures for protecting the integrity, confidentiality, and availability of e-PHI that is held or transmitted by covered entities. HHS developed a proposed rule and released it for public comment on August 12, 1998. The Department received approximately 2,350 public comments. The final regulation, the Security Rule, was published February 20, 2003.2 The Rule specifies a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality, integrity, and availability of e-PHI.The text of the final regulation can be found at 45 CFR Part 160 and Part 164, Subparts A and C.De-Identified Health Information. There are no restrictions on the use or disclosure of de-identified health information.14 De-identified health information neither identifies nor provides a reasonable basis to identify an individual.Security RuleDefines “Who” is Covered by the Security RuleHITECH expanded the responsibilities of business associatesDefines “What” information is protectedAll PHI a covered entity creates, receives, maintains or transmits in electronic form. (a.k.a., electronic protected health information (e-PHI)” – A subset of the Privacy RuleSecurity Rule does not apply to PHI transmitted orally or in writing
  • The Privacy RuleThe HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically.  The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.The Privacy Rule is located at 45 CFR Part 160 and Subparts A and E of Part 164. Part 160 - GENERAL ADMINISTRATIVE REQUIREMENTS Subpart A - General Provisions Subpart B - Preemption of State Law Subpart C - Compliance and Investigations Subpart D - Imposition of Civil Money Penalties Subpart E - Procedures for Hearings Part 164 - SECURITY AND PRIVACY Subpart A - General Provisions Section 164.102 - Statutory basis. Section 164.103 - Definitions. Section 164.104 - Applicability. Section 164.105 - Organizational requirements. Section 164.106 - Relationship to other parts. Subpart E - Privacy of Individually Identifiable Health Information Section 164.500 - Applicability. Section 164.501 - Definitions. Section 164.502 - Uses and disclosures of protected health information: general rules. Section 164.504 - Uses and disclosures: Organizational requirements. Section 164.506 - Uses and disclosures to carry out treatment, payment, or health care operations. Section 164.508 - Uses and disclosures for which an authorization is required. Section 164.510 - Uses and disclosures requiring an opportunity for the individual to agree or to object. Section 164.512 - Uses and disclosures for which an authorization or opportunity to agree or object is not required. Section 164.514 - Other requirements relating to uses and disclosures of protected health information. Section 164.520 - Notice of privacy practices for protected health information. Section 164.522 - Rights to request privacy protection for protected health information. Section 164.524 - Access of individuals to protected health information. Section 164.526 - Amendment of protected health information. Section 164.528 - Accounting of disclosures of protected health information. Section 164.530 - Administrative requirements. Section 164.532 - Transition provisions. Section 164.534 - Compliance dates for initial implementation of the privacy standards.
  • The Security Rule defines “confidentiality” to mean that e-PHI is not available or disclosed to unauthorized persons. The Security Rule's confidentiality requirements support the Privacy Rule's prohibitions against improper uses and disclosures of PHI. The Security rule also promotes the two additional goals of maintaining the integrity and availability of e-PHI. Under the Security Rule, “integrity” means that e-PHI is not altered or destroyed in an unauthorized manner. “Availability” means that e-PHI is accessible and usable on demand by an authorized person.5Give examples of one of eachThe Security RuleThe HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164.  http://www.access.gpo.gov/nara/cfr/waisidx_07/45cfr160_07.htmlPart 160 - GENERAL ADMINISTRATIVE REQUIREMENTS Subpart A - General Provisions Subpart B - Preemption of State Law Subpart C - Compliance and Investigations Subpart D - Imposition of Civil Money Penalties Subpart E - Procedures for Hearings Part 164 - SECURITY AND PRIVACY Subpart A - General Provisions Section 164.102 - Statutory basis. Section 164.103 - Definitions. Section 164.104 - Applicability. Section 164.105 - Organizational requirements. Section 164.106 - Relationship to other parts. Subpart C - Security Standards for the Protection of Electronic Protected Health Information Section 164.302 - Applicability. Section 164.304 - Definitions. Section 164.306 - Security standards: General rules. Section 164.308 - Administrative safeguards. Section 164.310 - Physical safeguards. Section 164.312 - Technical safeguards. Section 164.314 - Organizational requirements. Section 164.316 - Policies and procedures and documentation requirements. Section 164.318 - Compliance dates for the initial implementation of the security standards. Appendix A to Subpart C of Part 164 - Security Standards: Matrix Down and Dirty on Security RuleRisk analysis as part of their security management processesAdministrative Safeguards: Governance, Defined staff roles, access management, training and awareness, program reviewsPhysical Safeguards: Facility Access and Control, Workstation and Device SecurityTechnical Safeguards: Access control, monitoring of access, integrity controls, transmission securityOrganizational Requirements: Covered entities must manage business associatesPolicies and Procedures and Documentation Requirements: Must have them and keep them for 6 years & need periodic reviews
  • Definition of BreachA breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual. There are three exceptions to the definition of “breach.”  The first exception applies to the unintentional acquisition, access, or use of protected health information by a workforce member acting under the authority of a covered entity or business associate.  The second exception applies to the inadvertent disclosure of protected health information from a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate.  In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule.  The final exception to breach applies if the covered entity or business associate has a good faith belief that the unauthorized individual, to whom the impermissible disclosure was made, would not have been able to retain the information.Unsecured Protected Health Information and GuidanceCovered entities and business associates must only provide the required notification if the breach involved unsecured protected health information.  Unsecured protected health information is protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in guidance. Breach Notification RequirementsFollowing a breach of unsecured protected health information covered entities must provide notification of the breach to affected individuals, the Secretary, and, in certain circumstances, to the media.  In addition, business associates must notify covered entities that a breach has occurred.Individual NoticeCovered entities must notify affected individuals following the discovery of a breach of unsecured protected health information.  Covered entities must provide this individual notice in written form by first-class mail, or alternatively, by e-mail if the affected individual has agreed to receive such notices electronically.  If the covered entity has insufficient or out-of-date contact information for 10 or more individuals, the covered entity must provide substitute individual notice by either posting the notice on the home page of its web site or by providing the notice in major print or broadcast media where the affected individuals likely reside.  If the covered entity has insufficient or out-of-date contact information for fewer than 10 individuals, the covered entity may provide substitute notice by an alternative form of written, telephone, or other means.   These individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include, to the extent possible, a description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the covered entity.  Additionally, for substitute notice provided via web posting or major print or broadcast media, the notification must include a toll-free number for individuals to contact the covered entity to determine if their protected health information was involved in the breach.Media NoticeCovered entities that experience a breach affecting more than 500 residents of a State or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the State or jurisdiction.  Covered entities will likely provide this notification in the form of a press release to appropriate media outlets serving the affected area.  Like individual notice, this media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include the same information required for the individual notice.Notice to the SecretaryIn addition to notifying affected individuals and the media (where appropriate), covered entities must notify the Secretary of breaches of unsecured protected health information.  Covered entities will notify the Secretary by visiting the HHS web site and filling out and electronically submitting a breach report form.  If a breach affects 500 or more individuals, covered entities must notify the Secretary without unreasonable delay and in no case later than 60 days following a breach.  If, however, a breach affects fewer than 500 individuals, the covered entity may notify the Secretary of such breaches on an annual basis.  Reports of breaches affecting fewer than 500 individuals are due to the Secretary no later than 60 days after the end of the calendar year in which the breaches occurred.Notification by a Business AssociateIf a breach of unsecured protected health information occurs at or by a business associate, the business associate must notify the covered entity following the discovery of the breach.  A business associate must provide notice to the covered entity without unreasonable delay and no later than 60 days from the discovery of the breach.  To the extent possible, the business associate should provide the covered entity with the identification of each individual affected by the breach as well as any information required to be provided by the covered entity in its notification to affected individuals.  Burden of ProofCovered entities and business associates have the burden of proof to demonstrate that all required notifications have been provided or that a use or disclosure of unsecured protected health information did not constitute a breach.  This section also requires covered entities to comply with several other provisions of the Privacy Rule with respect to breach notification.  For example, covered entities must have in place written policies and procedures regarding breach notification, must train employees on these policies and procedures, and must develop and apply appropriate sanctions against workforce members who do not comply with these policies and procedures.Breaches Affecting 500 or More IndividualsIf a breach affects 500 or more individuals, a covered entity must provide the Secretary with notice of the breach without unreasonable delay and in no case later than 60 days from discovery of the breach.  This notice must be submitted electronically by following the link below and completing all information required on the breach notification form.  If a covered entity that has submitted a breach notification form to the Secretary discovers additional information to report, the covered entity may submit an additional form, checking the appropriate box to signal that it is an updated submission.  If, at the time of submission of the form, it is unclear how many individuals are affected by a breach, please provide an estimate of the number of individuals affected.  As this information becomes available, an additional breach report may be submitted as an addendum to the initial report.For questions regarding the completion and submission of this form, please e-mail OCRBreach@hhs.gov.reaches Affecting Fewer than 500 IndividualsFor breaches that affect fewer than 500 individuals, a covered entity must provide the Secretary with notice annually.  All notifications of breaches occurring in a calendar year must be submitted within 60 days of the end of the calendar year in which the breaches occurred.  Notifications of all breaches occurring after the effective date in 2009 must be submitted by March 1, 2010.  This notice must be submitted electronically by following the link below and completing all information required on the breach notification form.  A separate form must be completed for every breach that has occurred during the calendar year.  If a covered entity that has submitted a breach notification form to the Secretary discovers additional information to report, the covered entity may submit an additional form, checking the appropriate box to signal that it is an updated submission.  If, at the time of submission of the form, it is unclear how many individuals are affected by a breach, please provide an estimate of the number of individuals affected.  As this information becomes available, an additional breach report may be submitted as an addendum to the initial report.  For questions regarding the completion and submission of this form, please e-mail OCRBreach@hhs.gov.
  • Final regulations have now been released for the HITECH Act that have relevance to HIPAA data in the cloud.
  • Covered entities may disclose protected health information to an entity in its role as a business associate only to help the covered entity carry out its health care functions – not for the business associate’s independent use or purposes, except as needed for the proper management and administration of the business associate.General Provision. The Privacy Rule requires that a covered entity obtain satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity. The satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the covered entity and the business associate.Business Associate Contracts. A covered entity’s contract or other written arrangement with its business associate must contain the elements specified at 45 CFR 164.504(e). For example, the contract must: Describe the permitted and required uses of protected health information by the business associate; Provide that the business associate will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law; and Require the business associate to use appropriate safeguards to prevent a use or disclosure of the protected health information other than as provided for by the contract. Where a covered entity knows of a material breach or violation by the business associate of the contract or agreement, the covered entity is required to take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, to terminate the contract or arrangement. If termination of the contract or agreement is not feasible, a covered entity is required to report the problem to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR).
  • Incidental: JanitorsConduit: ISP
  • clarify that a business associate includes an entity that ‘‘creates, receives, maintains, or transmits’’ protected health information on behalf of a covered entity. Page 8: The HIPAA Security Rule, 45 CFR Part 160 and Subparts A and C of Part 164, applies only to protected health information in electronic form and requires covered entities to implement certain administrative, physical, and technical safeguards to protect this electronic information. Like the Privacy Rule, covered entities must have contracts or other arrangements in place with their business associates that provide satisfactory assurances that the business associates will appropriately safeguard the electronic protected health information they create, receive, maintain, or transmit on behalf of the covered entities. (emphasis added)The Omnibus rule can be found at https://s3.amazonaws.com/public-inspection.federalregister.gov/2013-01073.pdf
  • We adopt the modifications to the Security Rule as proposed to implement the HITECH Act’s provisions extending direct liability for compliance with the Security Rule to business associates. In response to the concerns raised regarding the costs of compliance, we note that the Security Rule currently requires a covered entity to establish a business associate agreement that requires business associates to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that they create, receive, maintain, or transmit on behalf of the covered entity as required by the Security Rule; and to ensure that any agent, including a subcontractor, to whom they provide such information agrees to implement reasonable and appropriate safeguards to protect it. See § 164.314(a). BA Limits:The final rule adopts the proposed modifications to §§ 164.502(e) and 164.504(e). As we discussed above, while section 13404 of the HITECH Act provides that business associates are now directly liable for civil money penalties under the HIPAA Privacy Rule for impermissible uses and disclosures and for the additional HITECH requirements in Subtitle D that are made applicable to covered entities, it does not apply all of the requirements of the Privacy Rule to business associates and thus, the final rule does not. Therefore, business associates are not required to comply with other provisions of the Privacy Rule, such as providing a notice of privacy practices or designating a privacy official, unless the covered entity has chosen to delegate such a responsibility to the business associate, which would then make it a contractual requirement for which contractual liability would attach.
  • Make sure to re-iterate that the Business Associate management is probably the most problematic part of HIPAA in public cloud
  • We proposed to modify this section to re-designate § 164.105(a)(2)(iii)(C) as (D), and to include a new paragraph (C), which makes clear that, with respect to a hybrid entity, the covered entity itself, and not merely the health care component, remains responsible for complying with §§ 164.314 and 164.504 regarding business associate arrangements and other organizational requirements. Hybrid entities may need to execute legal contracts and conduct other organizational matters at the level of the legal entity rather than at the level of the health care component. The final rule adopts this change.
  • First, we have added language to the definition of breach to clarify that an impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised. clarified our position that breach notification is necessary in all situations except those in which the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised (or one of the other exceptions to the definition of breach applies). Thus, breach notification is not required under the final rule if a covered entity or business associate, as applicable, demonstrates through a risk assessment that there is a low probability that the protected health information has been compromised, rather than demonstrate that there is no significant risk of harm to the individual as was provided under
  • 4) for a violation in which it is established that the violation was due to willful neglect and was not timely corrected Reasonable cause is currently defined at § 160.401 to mean: ‘‘circumstances that would make it unreasonable for the covered entity, despite the exercise of ordinary business care and prudence, to comply with the administrative simplification provision violated.’’ Talk about “Identical violations”
  • HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013

    1. 1. april25-26sanfranciscocloud success starts hereHIPAA in Public CloudThe Rules Have Been Set
    2. 2. #2#2#rightscalecompute#2Introduction• On January 25, 2013, HHS released the Omnibus Rule whichfinalized all the former HIPAA/HITECH interim rules• Most of this session will be about HIPAA/HITEC and notnecessarily cloud (if you don‟t understand the former, you‟llhave no clue how to applies it to the latter)
    3. 3. #3#rightscalecomputeMy Core Message for Today:HIPPA compliance inpublic cloud is aboutgovernance
    4. 4. #4#4#rightscalecompute#4Agenda• Quick HIPPA level set• Main changes• Wrap-up
    5. 5. #5#5#rightscalecompute#5About HIPAA• HIPAA is the Health Insurance Portability and Accountability Actof 1996• Title II: Preventing Health Care Fraud and Abuse; AdministrativeSimplification; Medical Liability Reform• Defines policies, procedures and guidelines for maintaining the privacyand security of individually identifiable health• 3 Main “Rules” from the Administrative Simplification Rules• Privacy Rule• Security Rule• Breach Notification Rule
    6. 6. #6#6#rightscalecompute#6The “3 Main Rules”• They apply to covered entities and business associates• Privacy: Impose controls around preventing unauthorizeddisclosure of protected healthcare information in any form• Security: Purpose is to prevent unauthorized electronic accessto protected healthcare information• Breach Notification: Purpose is to ensure timely notification ofaffected parties in event of a failure in the above 2 controls
    7. 7. #7#7#rightscalecompute#7About HITECH• HITECH Act, part of the American Recovery and ReinvestmentAct of 2009• Made law February 17, 2009 (13 years after HIPAA)• Is the “enforcement” rule that give HIPAA teeth
    8. 8. #8#8#rightscalecompute#8Important Terms• Covered Entity:• A health plan, A health care clearinghouse, A health care provider whotransmits any health information in electronic form in connection with atransaction• Business Associate: Operates on behalf of a CE• Think: function or activity involving the use or disclosure of individuallyidentifiable health information: claims processing or administration, dataanalysis, processing or administration, utilization review, qualityassurance, billing, benefit management, etc.• Protected Healthcare Information• Think Individually identifiable health information:• Any demographic information related to the condition, provision orpayment of health care to an individual• Identifies the individual
    9. 9. #9#9#rightscalecompute#9Privacy Rule Primer• Requires appropriate safeguards to protect the privacy ofpersonal health information• Sets limits and conditions on the uses and disclosures thatmay be made of such information without patient authorization• All about authorized disclosure
    10. 10. #10#10#rightscalecompute#10Security Rule Primer• Maintain reasonable and appropriate administrative, technical,and physical safeguards for protecting e-PHI• Specifically:• Ensure the confidentiality, integrity, and availability of all e-PHI they create,receive, maintain or transmit;• Identify and protect against reasonably anticipated threats to the securityor integrity of the information;• Protect against reasonably anticipated, impermissible uses or disclosures;and• Ensure compliance by their workforce• Required and Addressable Implementation Specifications• “Required" implementation specifications must be implemented• “Addressable" permits entities to adopt an alternative measure thatachieves the purpose of the standard
    11. 11. #11#11#rightscalecompute#11Breach Notification Primer• Notification required if breach involved unsecured protectedhealth information• Unsecured is PHI that has not been rendered unusable, unreadable, orindecipherable to unauthorized individuals• Covered entities must notify• Affected individuals• Prominent media outlets serving the State or jurisdiction if >500 residents• Notify HSS within 60 days (if <500 can do annually)• Business Associate must notify the covered entity (w/in 60days)• Burden of proof• All required notifications have been provided –OR–• Disclosure did not constitute a breach
    12. 12. #12#rightscalecomputeSubliminal Messaging: HIPPA compliance inpublic cloud is aboutgovernance
    13. 13. #13#13#rightscalecompute#13Main Changes• Business Associates• State law preemption• Use of PHI in Marketing• Application of HIPAA to hybrid entities• Breach notification
    14. 14. #14#14#rightscalecompute#14Business Associate• By law, the HIPAA Privacy Rule applied only to covered entities• The Privacy Rule allows covered providers and health plans todisclose protected health information to these “businessassociates” if the providers or plans obtain satisfactoryassurances that the business associate will use theinformation only for the purposes for which it was engaged bythe covered entity, will safeguard the information from misuse,and will help the covered entity comply with some of thecovered entity‟s duties under the Privacy Rule.
    15. 15. #15#15#rightscalecompute#15Who is a Business Associate?• Those who will create, receive, maintain, or transmit protectedhealth information for a covered entity• Generally a person who performs functions or activities on behalf of, orcertain services for, a covered entity that involve the use or disclosure ofprotected health information.• New: Specific call out for• Patient Safety Organizations• Health Information Organizations (HIO), E-Prescribing Gateways, andOther Persons That Facilitate Data Transmission; as Well as Vendors ofPersonal Health Records• Subcontractors {recursive}
    16. 16. #16#16#rightscalecompute#16Conduit and Incidental exceptions• With persons or organizations (e.g., janitorial service orelectrician) whose functions or services do not involve the useor disclosure of protected health information, and where anyaccess to protected health information by such persons wouldbe incidental, if at all.• With a person or organization that acts merely as a conduit forprotected health information, for example, the US PostalService, certain private couriers, and their electronicequivalents.
    17. 17. #17#17#rightscalecompute#17Conduit exception clarification• ... We note that the conduit exception is limited totransmission services (whether digital or hard copy)… Incontrast, an entity that maintains protected health informationon behalf of a covered entity is a business associate and nota conduit, even if the entity does not actually view theprotected health information…the difference between the twosituations is the transient versus persistent nature of thatopportunity. For example, a data storage company that hasaccess to protected health information (whether digital or hardcopy) qualifies as a business associate, even if the entity doesnot view the information or only does so on a random orinfrequent basis. (emphasis added)
    18. 18. #18#18#rightscalecompute#18BAA: Is it Optional?• Per Page 5591• Comment: One commenter suggested that business associateagreements should be an „„addressable‟‟ requirement under theSecurity Rule.• Response: The HITECH Act does not remove the requirementsfor business associate agreements under the HIPAA Rules.Therefore, we decline to make the execution of businessassociate agreements an „„addressable‟‟ requirement under theSecurity Rule.• If you decide to forego the BAA, make an informed decision …
    19. 19. #19#19#rightscalecompute#19Direct Liability & Sub-Contractors• Modified to implement the HITECH Act‟s provisions extendingdirect liability for compliance to business associates• Now directly liable for civil money penalties• A subcontractor that creates, receives, maintains, or transmitsprotected health information on behalf of a business associate,including with respect to personal health record functions, is aHIPAA business associate• BA must have a BAA with subcontractors (just another BA). This isrecursive.
    20. 20. #20#20#rightscalecompute#20Status on our cloud providers and BAA• The good news is that several of our cloud providers will sign aBAA.• Azure: Will sign a BAA• Datapipe: On a case-by-case basis• AWS: No public statement• We have heard from at least one customer that they were able to get AWSto sign a BAA• GCE: Not at this time• Rackspace: Not at this time• Softlayer: Not at this time
    21. 21. #21#21#rightscalecompute#21RightScale and BAA• We do not have access to ePHI• If we are invited to an account, we may have “incidental” access• RightLink runs on the instance, it does not interact with theelectronic personal health information (ePHI) as part of itsnormal operations• You don‟t sign a BAA with your AV vendor• Our understanding is that RightScale is not a BusinessAssociate
    22. 22. #22#22#rightscalecompute#22Preemption of State Law• HIPAA privacy requirements are to supersede only contraryprovisions of State law• State law supersedes where the provision of State law providesmore stringent privacy protections than the HIPAA Privacy Rule
    23. 23. #23#23#rightscalecompute#23Marketing use of PHI• Marketing communications that involve financial remuneration• Covered entity must obtain a valid authorization from theindividual before using or disclosing• Authorization must disclose the fact that the covered entity isreceiving financial remuneration from a third party
    24. 24. #24#24#rightscalecompute#24Hybrid entities• Covered entity itself, and not merely the health carecomponent• Responsible for business associate arrangements andother organizational requirements• Hybrid entities may need to execute legal contracts andconduct other organizational matters at the level of thelegal entity rather than at the level of the health carecomponent
    25. 25. #25#25#rightscalecompute#25Changes to Breach Notification Rule• Clarified the term “Breach”• Basically guilty until proven innocent• Changed “risk of harm” to “low probability PHI compromised”• Means you have to do a risk assessment. Can you?• Changed „„unauthorized individuals‟‟ to „„unauthorized persons.‟‟• How does the BNR affect you?• You need to be watching (remember willful neglect?)• Review is important• Need to have a mechanism for notification• Business Associates need to notify Covered Entities
    26. 26. #26#26#rightscalecompute#26Consequences• Fines• Caps on types, not totalsViolation Category Each Violation Annual cap onidentical violationsDid not know $100-$50,000 $1.5mReasonable Cause $1,000-$50,000 $1.5mWillful Neglect - Corrected $10,000-$50,000 $1.5mWillful Neglect – Not Corrected $50,000 $1.5m
    27. 27. #27#27#rightscalecompute#27Time Frames• Passed January 25th, 2013• In effect March 26, 2013• Compliance date is September 23, 2013• 180 days: “In addition, to make clear to the industry our expectation thatgoing forward we will provide a 180-day compliance date for futuremodifications to the HIPAA Rules …”
    28. 28. #28#rightscalecomputeSubliminal Messaging: HIPPA compliance inpublic cloud is aboutgovernance
    29. 29. #29#29#rightscalecompute#29Conclusion• Rules are set, you should read the Omnibus Rule• Managing your Business Associates are critical• If you are a Business Associate, you now have direct liability• You are responsible for your subcontractors and they for theirsubcontractors• Good security, as always, will cover most of what you need.
    30. 30. #30#30#rightscalecompute#30Can using RightScale help?• RightScale‟s management features can be helpful ascompanies work to comply with HIPAA• Features such as:• Monitoring• Access control• Audit trails• ServerTemplate• While not “HIPAA compliance features” can be tools that couldhelp customers implement their HIPAA procedures.
    31. 31. april25-26sanfranciscocloud success starts here
    32. 32. #32#32#rightscalecompute#32My Contact Info• Email: phil@rightscale.com• Twitter: sec_prof• Google+: phil@rightscale.com

    ×