- When the HIPAA omnibus rules were announced in January, many of those in the healthcare industry spoke about how heighten responsibilities for HIPAA covered entities, business associates (BAs) and subcontractors would affect healthcare organizations and their vendors. Because some forms of cloud computing require an organization to entrust its data to a vendor’s remote servers, the new omnibus requirements directly affect some organizations’ cloud agreements. Stephen Wu, a partner at the law firm Cooke Kobrick & Wu LLP, recently discussed how vendors and healthcare organizations alike need to understand HIPAA omnibus ramifications and if it’s worth deploying a cloud product when taking the new accountability into account.
Considering we don’t hear of many cloud breaches, why is cloud data security so polarizing?
It could be that the cloud service vendors are providing better security than the organizations would provide for themselves. You may not be hearing about breaches because the practices are actually better in the cloud. But organizations are still concerned about the movement of data or the [potentially-inappropriate] access of data from one cloud tenant to another. That’s probably the concern, but there are now private cloud solutions so an organization can have their own infrastructure if they’re worried about tenant access.
With your own private cloud infrastructure, those risks are mitigated. Maybe a vendor helps build that cloud infrastructure out, but the organization would manage it so there’s no possibility of a multi-tenant breach.
How has the HIPAA omnibus rule affected your clients’ cloud agreements?
I think from the vendor’s perspective, you’re going to have some big challenges getting your vendors in line because there’s a significant segment of the vendors out there that have never been BAs before. [It’s not easy because] many of the vendors are selling services to everyone and their grandma and now they have to sign a business associate agreement (BAA) despite the fact that they don’t consider themselves BAs because they’re providing a general service to anyone. But since they’re technically maintain protected health information (PHI), the upstream covered entities or another BA says that according to the rule, they are a BA. The logic of the HIPAA omnibus rule, especially in the statement by HHS, if they are maintaining it as a co-location facility or storage company, they’re maintaining PHI.
How have healthcare vendors reacted?
The vendor community out there is just now coming to grips with this and realizing that they’re going to have to be BAs if they’re going to get healthcare customers. Others are going to say they don’t want to compliance overhead and just not deal with healthcare customers.
There is one co-location facility in Michigan that says “we’re on the hook and this is a competitive advantage for us. You should sign with us instead of other vendors because we’re willing to sign those agreements.”
With that [HIPAA omnibus] relationship, they need to have new agreements in place that assert security agreements and termination rights to flow down from an organization’s BA to the BA’s subcontractor. And there needs to be collaboration on breach notification and detection. Those are some areas that need to be redone in the new agreement.