Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Rightscale webinar-hipaa-public-cloud


Published on

Published in: Technology, Business
  • Be the first to comment

Rightscale webinar-hipaa-public-cloud

  1. 1. #rightscaleHIPAA in Public CloudThe Rules Have Been SetWatch the video of this presentation
  2. 2. #rightscale#2Your Panel TodayPresenting• Phil Cox, Director of Security and Compliance, RightScaleQ&A• Ryan Geyer, Cloud Solutions Engineer, RightScale• Michael Curry, Account Manager, RightScalePlease use the “Questions” windowto ask questions any time!
  3. 3. #rightscale#3Introduction• On January 25, 2013, HHS released the Omnibus Rule whichfinalized all the former HIPAA/HITECH interim rules• Most of this session will be about HIPAA/HITECH and notnecessarily cloud (if you don‟t understand the former, you‟ll haveno clue how to applies it to the latter)
  4. 4. #rightscale#4#rightscalecomputeMy Core Message for Today:HIPAA compliance inpublic cloud is aboutgovernance
  5. 5. #rightscale#5Can Using RightScale Help?• RightScale‟s management features can be helpful as companieswork to comply with HIPAA:• Monitoring• Access control• Audit trails• ServerTemplate• Advanced monitoring and auditing capabilities are best practicesthat will help you comply with HIPAA regulations• Gives visibility into system access and configurations whenperforming a risk assessment after an allegation of a breach
  6. 6. #rightscale#6Healthcare in the Cloud with RightScale• Developed self-service labenvironments• Reduced provisioning time from25 days to 30 minutes• Measures costs in cents per hourfor compute and storage• Integrated public and privateclouds• Satisfied regulatory and auditrequirements• Automated provisioning forWindows environments
  7. 7. #rightscale#7Agenda• Quick HIPAA level set• Key Rules• Wrap-up
  8. 8. #rightscale#8Important Terms• Covered Entity:• A health plan, A health care clearinghouse, A health care provider whotransmits any health information in electronic form in connection with atransaction• Business Associate: Operates on behalf of a CE• Think: function or activity involving the use or disclosure of individuallyidentifiable health information: claims processing or administration, dataanalysis, processing or administration, utilization review, qualityassurance, billing, benefit management, etc.• Protected Healthcare Information• Think Individually identifiable health information:• Any demographic information related to the condition, provision orpayment of health care to an individual• Identifies the individual
  9. 9. #rightscale#9More Term Definition• HHS – US Department of Health and Human Services. Basicallythe ones that make the rules • Secretary – Runs HHS• NIST – National Institute of Standards and Technology (US). TheUS federal technology agency that, for our purposes, works withindustry to develop technology standards and guidance.• US Federal government defers to NIST tech publications and standardsfor just about everything.
  10. 10. #rightscale#10About HIPAA• HIPAA is the Health Insurance Portability and Accountability Actof 1996• Title II: Preventing Health Care Fraud and Abuse; AdministrativeSimplification; Medical Liability Reform• Defines policies, procedures and guidelines for maintaining the privacyand security of individually identifiable health• 3 Main “Rules” from the Administrative Simplification Rules• Privacy Rule• Security Rule• Breach Notification Rule• More about these later …
  11. 11. #rightscale#11About HITECH• HITECH Act, part of the American Recovery and ReinvestmentAct of 2009• Made law February 17, 2009 (13 years after HIPAA)• Is the “enforcement” rule that gave HIPAA teeth
  12. 12. #rightscale#12Back to HIPAA: The “3 Main Rules”• They apply to covered entities and business associates• Privacy: Impose controls around preventing unauthorizeddisclosure of protected healthcare information in any form• Security: Purpose is to prevent unauthorized electronic accessto protected healthcare information• Breach Notification: Purpose is to ensure timely notification ofaffected parties in event of a failure in the above 2 controls
  13. 13. #rightscale#13Privacy Rule Primer• Requires appropriate safeguards to protect the privacy ofpersonal health information• Sets limits and conditions on the uses and disclosures thatmay be made of such information without patient authorization• All about authorized disclosure
  14. 14. #rightscale#14Security Rule Primer• Maintain reasonable and appropriate administrative, technical,and physical safeguards for protecting e-PHI• Specifically:• Ensure the confidentiality, integrity, and availability of all e-PHI theycreate, receive, maintain or transmit;• Identify and protect against reasonably anticipated threats to the securityor integrity of the information;• Protect against reasonably anticipated, impermissible uses or disclosures;and• Ensure compliance by their workforce• Required and Addressable Implementation Specifications• “Required" implementation specifications must be implemented• “Addressable" permits entities to adopt an alternative measure thatachieves the purpose of the standard
  15. 15. #rightscale#15Breach Notification Primer• Notification required if breach involved unsecured protectedhealth information• Unsecured is PHI that has not been rendered unusable, unreadable, orindecipherable to unauthorized individuals• Covered entities must notify• Affected individuals• Prominent media outlets serving the State or jurisdiction if >500 residents• Notify HHS within 60 days (if <500 can do annually)• Business Associate must notify the covered entity (w/in 60 days)• Burden of proof• All required notifications have been provided –OR–• Disclosure did not constitute a breach
  16. 16. #rightscale#16Key Issues When Dealing with “Cloud”• Per the recent NIST conference:• Location• Where is PHI? – geo location• Providers need to give assurance and warrants• Breach• What does the provider do to prevent breaches of PHI?• If there is a breach, what is the response capability?• Access• Proper controls to limit access• Monitoring – Can provider give the following• Not only modifications, but read/print too?• Any access?
  17. 17. #rightscale#17Agenda• Quick HIPAA level set• Key Rules• Wrap-up
  18. 18. #rightscale#18Changes Affecting HIPAA & Public Cloud• Business Associates• Breach notification• State law preemption• Use of PHI in Marketing• Application of HIPAA to hybrid entities
  19. 19. #rightscale#19Business Associate• By law, the HIPAA Privacy Rule applied only to covered entities• The Privacy Rule allows covered providers and health plans todisclose protected health information to these “businessassociates” if the providers or plans obtain satisfactoryassurances that the business associate will use the informationonly for the purposes for which it was engaged by the coveredentity, will safeguard the information from misuse, and will helpthe covered entity comply with some of the covered entity‟sduties under the Privacy Rule.
  20. 20. #rightscale#20Who Is a Business Associate?• Those who will create, receive, maintain, or transmit protectedhealth information for a covered entity• Generally a person who performs functions or activities on behalf of, orcertain services for, a covered entity that involve the use or disclosure ofprotected health information.• New: Specific call out for• Patient Safety Organizations• Health Information Organizations (HIO), E-Prescribing Gateways, andOther Persons That Facilitate Data Transmission; as Well as Vendors ofPersonal Health Records• Subcontractors {recursive}
  21. 21. #rightscale#21There are Exceptions• Incidental Access: With persons or organizations (e.g.,janitorial service or electrician) whose functions or services donot involve the use or disclosure of protected health information,and where any access to protected health information by suchpersons would be incidental, if at all.• Conduit: With a person or organization that acts merely as aconduit for protected health information, for example, the USPostal Service, certain private couriers, and their electronicequivalents…
  22. 22. #rightscale#22Conduit Exception Clarification• ... We note that the conduit exception is limited totransmission services (whether digital or hard copy)… Incontrast, an entity that maintains protected health information onbehalf of a covered entity is a business associate and not aconduit, even if the entity does not actually view the protectedhealth information…the difference between the two situations isthe transient versus persistent nature of that opportunity.For example, a data storage company that has access toprotected health information (whether digital or hard copy)qualifies as a business associate, even if the entity does notview the information or only does so on a random or infrequentbasis. (emphasis added)
  23. 23. #rightscale#23Why BA Focus?• 1/3 of all breaches related to 3rd parties• 55% of people affected related to 3rd parties• So a 3rd party disclosure has a larger impact than a non-3rd party
  24. 24. #rightscale#24HHS Theme with BA• Persistency of data, not degree of access is the key driver• Focus on:• Security rule: Tech, Admin, Physical• Privacy rule: Use and disclosure• Direct liability• Criminal & Civil• Flows to sub-contractors• Does encryption remove you from BA?• At this time, as I understand it, NO.• More on this in a bit …
  25. 25. #rightscale#25What HHS Is Pushing• Trend is more towards risk• Beef up contracts WRT security• Represent and warrant that they meet the controls that are specified in the appendix of thecontract/agreement• Pre-contract assessment (quick hit)• Post contract audit• Risk Assessment• Short form• What PHI• Where is it• Use that to assess risk and identify specific controls for a given BA
  26. 26. #rightscale#26Direct Liability & Sub-Contractors• Modified to implement the HITECH Act‟s provisions extendingdirect liability for compliance to business associates• Now directly liable for civil money penalties• A subcontractor that creates, receives, maintains, or transmitsprotected health information on behalf of a business associate,including with respect to personal health record functions, is aHIPAA business associate• BA must have a BAA with subcontractors (just another BA). This isrecursive.
  27. 27. #rightscale#27BAA: Is It Optional?• Per Page 5591• Comment: One commenter suggested that business associateagreements should be an „„addressable‟‟ requirement under theSecurity Rule.• Response: The HITECH Act does not remove the requirementsfor business associate agreements under the HIPAA Rules.Therefore, we decline to make the execution of businessassociate agreements an „„addressable‟‟ requirement under theSecurity Rule.• If you decide to forego the BAA, make an informed decision …
  28. 28. #rightscale#28Changes to Breach Notification Rule• Clarified the term “Breach”• Basically guilty until proven innocent• Changed “risk of harm” to “low probability PHI compromised”• Means you have to do a risk assessment. Can you? (next slide)• Changed „„unauthorized individuals‟‟ to „„unauthorized persons.‟‟• How does the BNR affect you?• You need to be watching (if not, maybe “willful neglect”?)• Review is important• Need to have a mechanism for notification• Business Associates need to notify Covered Entities
  29. 29. #rightscale#29Risk Assessment Considerations1. Nature and extent of PHI involved• Types of identifiers and likelihood of re-identification2. Who accessed/used the information3. If the PHI was actually acquired/viewed4. Extent to which the risk to PHI has been mitigated-OR-Notify!
  30. 30. #rightscale#30What about Encryption?• If Protected health information (PHI) is rendered unusable,unreadable, or indecipherable to unauthorized individuals – thenno Breach Notification• Encryption must be consistent with NIST guidelines:• NIST Special Publication 800-111 (storage)• NIST Special Publications 800-52, 800-77 (transit)• NIST Special Publication 800-88 (destruction)• Federal Information Processing Standards (FIPS) 140-2 (validated crypto)• It does not remove you from being a BA, but does limit Breachnotification• NIST conference seemed to indicate HHS is looking at this.
  31. 31. #rightscale#31Preemption of State Law• HIPAA privacy requirements supersede only contrary provisionsof State law UNLESS State law provides more stringent privacyprotections than the HIPAA Privacy Rule
  32. 32. #rightscale#32Marketing & Other Use of PHI• Marketing communications that involve financial remuneration• In reality anything other than billing that involves financial remuneration• Covered entity must obtain a valid authorization from theindividual before using or disclosing• Authorization must disclose the fact that the covered entity isreceiving financial remuneration from a third party
  33. 33. #rightscale#33Hybrid Entities• Covered entity itself, and not merely the health carecomponent (HCC)• If you share PHI with the non HCC part of your org, could beconsidered a breach• Responsible for business associate arrangements andother organizational requirements• Hybrid entities may need to execute legal contracts andconduct other organizational matters at the level of thelegal entity rather than at the level of the health carecomponent
  34. 34. #rightscale#34Consequences• Fines• Caps on types, not totalsViolation Category Each Violation Annual cap onidentical violationsDid not know $100-$50,000 $1.5mReasonable Cause $1,000-$50,000 $1.5mWillful Neglect - Corrected $10,000-$50,000 $1.5mWillful Neglect – Not Corrected $50,000 $1.5m
  35. 35. #rightscale#35Real World Example• Idaho State University (ISU): 17,500 patients at ISUs PocatelloFamily Medicine Clinic.• The breach was blamed on the disabling of firewall protections, and failureof ISU to notice the change or the lack of protection.• Consequences• $400,000 fine (>$20/account) + internal costs ($200K)• 2 year Corrective Action Plan, defining enhanced security procedures andincreased reporting to HHS – Likely 1 FTE ($400K over 2 years)• Proactive:• A firewall management tool- $40K procurement, $15K second yearmaintenance costs and .1 FTE.• Punch Line: If they had spent $75K could have saved $1M
  36. 36. #rightscale#36Timeframes• Passed January 25th, 2013• In effect March 26, 2013• Compliance date is September 23, 2013• 180 days: “In addition, to make clear to the industry our expectation thatgoing forward we will provide a 180-day compliance date for futuremodifications to the HIPAA Rules …”
  37. 37. #rightscale#37Conclusion• Rules are set, you should read the Omnibus Rule• Managing your Business Associates are critical• If you are a Business Associate, you now have direct liability• You are responsible for your subcontractors and they for theirsubcontractors• Good security, as always, will cover most of what you need.
  38. 38. #rightscale#38Can Using RightScale Help?• RightScale‟s management features can be helpful as companieswork to comply with HIPAA:• Monitoring• Access control• Audit trails• ServerTemplate• Advanced monitoring and auditing capabilities are best practicesthat will help you comply with HIPAA regulations• Gives visibility into system access and configurations whenperforming a risk assessment after an allegation of a breach
  39. 39. #rightscale#39Status on Our Cloud Providers and BAA• The good news is that several of our cloud providers will sign aBAA.• Azure: Will sign a BAA• Datapipe: On a case-by-case basis• AWS: No public statement• We have heard from at least one customer that they were able to get AWSto sign a BAA• GCE: Not at this time• Rackspace: Not at this time• Softlayer: Not at this time
  40. 40. #rightscale#40RightScale and BAA• We do not “create, receive, maintain, or transmit” PHI• We do not have access to PHI• If we are invited to an account, we may have “incidental” access• RightLink runs on the instance, it does not interact with theelectronic personal health information (ePHI) as part of itsnormal operations• You are not required to sign a BAA with your AV vendor• Our understanding is that RightScale is not a BusinessAssociate
  41. 41. #rightscale#41Questions?
  42. 42. #rightscale#42My Contact Info• Email:• Twitter: sec_prof• Google+: