Cloud Computing in Healthcare: HIPAA and State Law Challenges Navigating Privacy and Security Risks Today’s faculty features: 1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions emailed to registrants for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 10. WEDNESDAY, JUNE 12, 2013 Presenting a live 90-minute webinar with interactive Q&A Matthew A. Karlyn, Partner, Cooley, Boston Andrew Gantt, Partner, Cooley, Washington, D.C.
Transcript
Cloud Computing in Healthcare:
HIPAA and State Law Challenges Navigating Privacy and Security Risks
30 percent of health care organizations report using cloud
technology for clinical and non-clinical applications, according to
a CDW tracking poll.
Electronic Health Records (EHR)
Radiology images
Telemedicine
Patient management
Revenue cycle management and/or patient billings and claims
management
6
Health IT’s Migration to the Cloud
Projected Use
71 percent of health care organizations are either
deploying or plan to deploy cloud technology,
according to a survey by KLAS Research
Worldwide cloud services revenue is projected to
reach $148.8 billion in 2014, according to a Gartner
study
7
Definitions of Cloud Computing
Characteristics
Delivery over the Internet (i.e., the “cloud”)
Software, platform or infrastructure resources provided
as services
Scalability on-demand
Utility and/or subscription billing (i.e., based on the
Customer’s actual use and/or a period of time)
8
Types of Cloud Computing Services
Software-as-a-Service (SaaS) refers to the Provider’s software being delivered over the cloud to the Customer as a service (e.g., electronic health record systems)
Platform-as-a-Service (PaaS) refers to the Provider's software development platforms being delivered over the cloud to the Customer as a service (e.g., interface development)
Infrastructure-as-a-Service (IaaS) refers to virtual servers, memory, processors, storage, network bandwidth, and other types of infrastructure resources, delivered over the cloud to the Customer as a service (e.g., data hosting)
9
Models of Cloud Deployment
Public Clouds
Owned and operated by a cloud provider
Private Clouds
Computing environment operated exclusively for one
organization
Community Clouds
Computing environment exclusive to 2+ organizations
with similar considerations
Hybrid Clouds
Composition of 2 or more clouds
10
Benefits of Cloud Technology
Reduction in Capital Costs
Enhanced Computing Power
Greater Flexibility
Lower Upfront Risks and Complexity
Availability of In-house Expertise
11
That all sounds great…
BUT There are risks…
What are the privacy and security risks that
health care organizations evaluating cloud
computing solutions should consider?
12
Compliance Risks – Privacy and Security
Evaluation of risk involves consideration of the data sensitivity and
criticality of the services, and heightened compliance risks
associated with cloud computing
Individually identifiable health information is high-risk data and is
often part of critical business processes being supported by the
cloud computing solution
Solutions must be carefully evaluated to ensure the benefits outweigh the risks; ensure compliance and contractual protections and operational precautions are taken
13
HIPAA, HITECH and State Law
HIPAA, as amended by the HITECH Act, requires health
plans, health care clearinghouses, and covered health
care providers (Covered Entities) to safeguard protected
health information (PHI)
HITECH Act made Business Associates (BA) of Covered
Entities directly regulated by HIPAA
Comparable state laws exist and HIPAA does not pre-
empt more stringent state law requirements
Responsibility for compliance cannot be delegated to
cloud provider
14
HIPAA and the Cloud: Changes Under HIPAA Omnibus Rule
BA must comply with the technical, administrative, and physical safeguard requirements under the Security Rule; liable for Security Rule violations
BA must comply with use or disclosure limitations expressed in its contract and those in the Privacy Rule; criminal and civil liabilities attach for violations
BA definition expressly includes Health Information Organizations, E-prescribing Gateways, and PHR vendors that provide services to covered entities
Subcontractors of a BA are now defined as a BA; clarifying that BA liability flows to all subcontractors
15
HIPAA and the Cloud: Changes Under HIPAA Omnibus Rule the Cloud: Changes Under HIPAA Omnibus Rule Rule estimates impact on 250,000 -500,000 BAs at cost of $21M-
$42M (only $84 per BA!)
Rule reflects new, post-HITECH reality that business associates (BA) are directly regulated by OCR
BAs and subcontractors can only use and disclose PHI as permitted by BAA or required by law –terms of BAA remain critical
Definition of BA includes:
Entities that transmit and need routine access to PHI (e.g., Health Information Organization, E-Prescribing Gateway);
PHR vendors who serve CEs; and
Subcontractors who create, receive, maintain or transmit PHI for BA
16
HIPAA and the Cloud: Conduit Exception Limited
Conduit Exception
Conduit exception is limited to transmission services (whether digital or hard copy), including any temporary storage of transmitted data incident to such transmission
However, an entity that maintains PHI on behalf of a CE (e.g., document storage company) is a BA and not a conduit, even if the entity does not actually view the PHI
Transient versus persistent nature of opportunity to view data is relevant
Random or infrequent access to PHI standard still applies, but is interpreted more narrowly
More guidance expected on conduits
17
HIPAA and the Cloud: Transition Provisions
Business Associate Agreement Transition Provisions
Rule is effective March 26, 2013; compliance due within 180 days
If prior to January 25, 2013, a CE (or BA with respect to a subcontractor) has entered into and is operating pursuant to a BAA with the BA (or subcontractor, as applicable) that complies with the applicable provisions of §§ 164.314(a) or 164.504(e) that were in effect on such date, and the BAA is not renewed or modified from March 26, 2013 until September 23, 2013, it shall be deemed compliant until the earlier of:
The date such contract or other arrangement is renewed or modified on or after September 23, 2013; or
September 22, 2014
Similar transition provision exists for data use agreements
18
HIPAA and the Cloud: Breach Standard
The interim final regulation said statute incorporated a
“risk of harm” threshold – notice was required where
there is a “significant risk of financial, reputational or
other harm.”
Covered entities have been reporting breaches under
this standard for two years
19
HIPAA and the Cloud: Breach Standard
Omnibus Rule modified the “presumption” for breach reporting - notification is required to affected individuals unless the covered entity “demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment.”
Instead of the risk of harm standard, a “risk assessment” required to determine if there is low probability of a “compromise” of the PHI.
If risk assessment reveals low probability of compromise, notification is not required.
Covered entity can provide notice without a risk assessment.
20
HIPAA and the Cloud: Breach Standard
The nature and extent of the protected health information
involved, including types of identifiers and likelihood of
re-identification;
The unauthorized person who used the protected health
information or to whom the disclosure was made;
Whether the protected health information was actually
acquired or viewed; and
The extent to which the risk to the protected health
information has been mitigated.
21
Evaluating the Risk of Cloud Computing
Compliance with State Security Laws
Some states also mandate security controls for
Personal Information (which might be defined to
include health information) or Electronic Health
Records
Compliance with Data Breach Reporting Laws
Forty-seven states have breach-reporting laws
Some apply to health information; others to social
security and financial account information
Organizations may Need to Comply with Federal
and State Laws, if State Law is More Stringent
22
Evaluating the Risk of Cloud Computing (cont’d)
Liability
Privacy and security requirements
Civil penalties
Private causes of action
Data breaches
ANSI developed formula to estimate financial
impact of breach
Estimated a $26.5 million financial impact for
breach of 845,000 medical records
23
Evaluating the Risk of Cloud Computing (cont’d)
Data Security
Internet-facing services
Risks associated with services being delivered over
internet, e.g., increased risk of web browser attacks
Multi-tenancy environment
Risks associated with data being stored on a server
with other customer’s data, e.g., increased risk of
unauthorized disclosure
System complexity
Risks associated with interaction of multiple
services, e.g., having a greater “attack surface”
24
Evaluating the Risk of Cloud Computing (cont’d)
Contractual Relationships with Downstream
Vendors
Accountability for the privacy of health information
cannot simply be delegated to a cloud provider
HITECH Holds Business Associates Responsible for
Civil Penalties (42 U.S.C. § 17931(b)), but …
Notification costs, mitigation of harm, damages must be
addressed contractually
State law/Federal Trade Commission may differ with
respect to the responsibility of organizations for the
actions of their subcontractors
25
Part 3 – Speaking of Contracts…
Cloud computing agreements have some similarity to licensing
agreements, but have more in common with hosting or ASP
agreements
26
Licensing vs. the Cloud
Traditional Licensing/Hardware Purchase
Vendor installs the software or equipment in the Customer’s environment
Customer has ability to have the software or hardware configured to meet its needs
Customer retains control of the data
In the Cloud…
Software, hardware and Customer data are hosted by the Provider typically in a shared environment (e.g., many customers per server)
Software and hardware configuration much more homogeneous across all customers
27
Licensing vs. the Cloud (cont’d)
Shift of Top Priorities
From configuration, implementation and acceptance (in the licensing world) to service availability, performance, service levels, data security and control (in the cloud)
Traditional Provisions Retain Importance
In particular, insurance, indemnity, intellectual property, limitations of liability, warranties
28
Cloud Customers Must Make Important Decisions
There are no standard forms that work for every customer, for every product, in every deal
Some commonly used outsourcing and software licensing terms may be useful, but cannot be uniformly applied to cloud computing transactions
More robust contractual protection and provisions that address issues unique to the cloud are likely needed
For the “low risk” deals, a low risk solution may outweigh the need for contractual protections
For “high risk” deals, better to take a closer look and include the provisions that will protect your company
Note that robust contractual protections may have an impact on price and eliminate certain providers altogether
29
The Focus of Cloud Computing Transactions
Focus Should be on:
The criticality of the software, data and services to the enterprise
The unique issues presented by a cloud computing environment
The service levels and pricing offered by different suppliers and for different services
Outsourcing agreements and traditional licensing agreements are a good starting point, but not a good ending point
30
Part 4 – Key Contractual Issues in Cloud Computing
Pre-Agreement Due Diligence
Service Availability
Service Levels
Data Security
Insurance
Indemnification
Limitation of Liability
Warranties
Term
Fees
31
Pre-Agreement Due Diligence
Can the Provider Meet your Organization’s Expectations?
Require Provider to complete a due diligence questionnaire, with particular attention to:
Provider’s financial condition and corporate responsibility
Location of the data, including disaster recovery facilities
Provider’s use of subcontractors and contractual relationships
Provider’s security infrastructure and policies and procedures
32
Service Availability
If the Provider stops delivering services, the
Customer will have no access to the services
(which may be supporting a critical business
function), and perhaps more importantly, no
access to the Customer’s data stored on the
Provider’s systems
Customer must be able to continue to operate
and have access to its data at all times
33
Service Availability (cont’d)
What Do You Need? If Provider is maintaining Protected Health Information (PHI), a disaster
recovery plan and an emergency mode operation plan
Application of the terms of the agreement to the Provider’s disaster
recovery site
Provider’s agreement not to withhold services (even if there is a dispute)
34
Service Availability (cont’d)
Protections Against Provider’s Financial Instability
Enable Customer to identify issues in advance
Quarterly reporting to allow Customer to assess the overall strength and financial viability of Provider
Ability to terminate the Agreement if the Customer concludes the Provider does not have the financial wherewithal to fully perform as required
In-house software solution: consider requiring the Provider to make available or develop an in-house solution to replacing software services if it stops providing those services
35
Service Levels
Uptime Service Level
Services must be available to Customer at all times to support operations
Outage window
Measurement period
Remedies
Require Provider to monitor servers by automatic pinging
“Unavailability” should include severe performance degradation
Service Response Time
36
Service Levels (cont’d)
Uptime Terms
Require Provider to make services available continuously as measured
over the course of each calendar month, an average of 99 percent of
the time
Excluding unavailability as a result of defined
Exceptions
Unavailability due to Customer’s acts or omissions
Customer’s internet connectivity
37
Service Levels (cont’d)
Response Time
Maximum latencies and response times for the Customer’s use of the
Services
Average download time for each page of the
Services,
Within the lesser of (i) 0.5 seconds of the weekly
Keynote Business 40 Internet Performance Index
(“KB40”) or (ii) two (2) seconds
Provide for successor index if KB40 is discontinued
38
Service Levels (cont’d)
Other Common Service-level Issues that Customers Should Address
Simultaneous visitors
Problem response time and resolution time
Data return and periodic delivery
Remedies for failure to meet service levels
Should include financial penalties and termination
39
Service Levels (cont’d)
Why Are They So Important?
Assure the Customer that it can rely on the services and provide
appropriate remedies if the Provider fails to meet the agreed service
levels
Provide incentives that encourage the Provider to be diligent in
addressing issues
40
Data Security
Business Associate Agreements (BAA)
Required with Provider, if it hosts data or software containing PHI on its own server, or furnishes software and accesses PHI, even if only for troubleshooting software function (OCR, FAQ, available at http://www.hhs.gov/ocr/privacy/hipaa/faq /business_associates/256.html)
If BAA provisions are incorporated in End User License Agreements (e.g., with EHR software vendors)
Should analyze whether EULA is valid under State law
Likely to contain standard provisions favorable to Business Associate
41
Data Security (cont’d)
Business Associate Agreements
BAA (or contract) should address the Provider’s policies and procedures
related to:
Security policies unique to cloud
Subcontracting arrangements
Location of data
Breach notification
Data ownership and use rights
Data redundancy
E-discovery
Data conversion/data return
42
Data Security (cont’d)
Business Associate Agreements HITECH Act requires appropriate administrative, physical, and technical
safeguards, but does not address specific security risks associated with
cloud computing environment (42 U.S.C. § 17931)
BAA should address policies that comply with the HITECH Act security
requirements and policies to address cloud-specific risks
43
Business Associate Agreements
Security Provisions
Agree to provide third party audit to verify compliance
Allow Covered Entity access to facilities to determine
HIPAA compliance
Define Customer’s vs. Provider’s responsibilities for
HIPAA compliance if PHI is involved (45 C.F.R. § 164.504(e)(ii)(D))
BAA must ensure that any subcontractors to which the Business Associate provides PHI agree in writing to the same restrictions and conditions that apply to the Business Associate in its agreement with the Covered Entity
45
Data Security (cont’d)
Subcontracting Arrangements
Data hosting - Who is operating the data center – the Provider or a third
party?
Ensure third party host complies with key terms of
agreement with Provider
Cloud Provider should be jointly and severally liable
with the third party host for any breach of the
agreement by the third party host
Advance notice of any change of the host
Consider entering a separate confidentiality
agreement with the third party host
46
Data Security (cont’d)
Location of Data
May determine the jurisdiction and the governing law
Overseas data may present practical difficulties
Other state laws may impose additional compliance
requirements
Should consider inclusion of prohibition on off-shore work and
restrictions on data transfer without prior written consent of Customer
47
Data Security (cont’d)
Breach Notification Provisions
BAA should establish:
The procedures and timeframe for reporting a
breach to the Customer
The procedures and role of the parties with respect
to investigation of the breach and notification of
individuals
Liability of the Provider
If subject to HIPAA, must comply with 45 C.F.R.
§ 164 Subpart D
48
Data Security (cont’d)
Breach Notification Provisions
Customer should have sole control over the timing,
content, and method of notification (if it is required)
If the Provider is responsible for the breach, then the
Provider should reimburse the Customer for its
reasonable out-of-pocket expenses in providing the
notification, mitigating the harm, and otherwise
complying with the law
Indemnification is key issue, subject to negotiation
between the parties
49
Data Security (cont’d)
Data Ownership and Use Rights
Agreement should contain:
Clear language regarding Customer’s ownership of data
Specific language (i) regarding the Provider’s obligations to
maintain the confidentiality of such information and (ii) placing
appropriate limitations on the Provider’s use of such Customer
information
Strict limitations on Provider’s use of data in aggregated
and/or de-identified form
Use of aggregate data must be for health care operations
purpose permissible under HIPAA
May require indemnification in event that PHI is not properly
de-identified
50
Data Security (cont’d)
Data Redundancy
Agreement should contain explicit provisions regarding:
Provider’s duty for regular backups and frequency
of backups
Replication of Customer database at off-site
location
Number of backups to be saved
Method for Customer to retrieve the database
backups
51
Data Security (cont’d)
E-discovery
Agreement should require Provider to retain meta-data
Data Conversion/Return of Data
Should ensure that the Customer is not “locked in” to
the Provider’s solution and Provider can return or
destroy data at termination of agreement
Establish format for return of data at no cost to
Customer
Require Provider to completely destroy or erase all
other copies of the Customer Information
Require certification of destruction of data
52
Insurance
Customer should self-insure against IT risks by
obtaining a cyber-liability policy
Provider should be required to carry:
Technology errors and omissions liability insurance
Commercial blanket bond, using Electronic &
Computer Crime or Unauthorized Computer Access
insurance
Most data privacy and security laws will hold the
Customer liable for security breaches whether it
was the Customer’s fault or the Provider’s fault
53
Indemnification
Third party claims relating to the Provider’s
breach of its confidentiality and security
obligations, as well as claims relating to
infringement of third party intellectual property
rights
Limitation to copyright is not acceptable
Limitation to US IP rights may be acceptable, but consider whether use
of the services will occur overseas
54
Limitation of Liability
Scrutinize limitation of liability provisions
carefully
If you cannot eliminate the limitation of liability in
its entirety, seek the following protections:
Mutual protection
Appropriate carve-outs (e.g., confidentiality, data security, indemnity)
A reasonable liability cap for direct damages
55
Warranties
The following warranties are common in these
types of agreements:
Conformance to specifications
Performance of services
Appropriate training
Compliance with laws
No sharing / disclosure of data
Services will not infringe
No viruses / destructive programs
No pending or threatened litigation
Sufficient authority to enter into agreement
56
Fees
Ability to add and remove resources with a
corresponding upward or downward adjustment
in the service fees
Identify all potential revenue streams and make
sure that the identified fees are inclusive of such
revenue streams
Lock in recurring fees for a period of time (one to
three years) and thereafter an escalator based
on CPI or another index
57
Term
The Customer should be able to terminate the agreement at any time upon notice (14 to 30 days) and without penalty
The software and infrastructure are being provided as a
service and should be treated as such
The Provider may request a minimum commitment from the
Customer to recoup the Provider’s “investment” in securing
the Customer as a customer
If you agree to this, limit to no more than one year and
the Provider should be required to provide evidence of
its up front costs to justify such a requirement
Under HIPAA, Covered Entities must be authorized to terminate the agreement upon knowledge of a material breach (45 C.F.R. § 164.504(e)(2)(iii).)
58
Negotiation
Leverage is important – you may not be able to
obtain all of the protections you want
Evaluate the business risks
Do the services support a critical business function?
Do the services involve sensitive data?
Are the services customer facing?
59
Negotiation (cont’d)
If you cannot get the protections you want in the most significant areas of risk, consider walking away
If walking away is not an acceptable option, focus on risk mitigation
For example, if the Provider refuses to modify its
uptime service level (arguing that it cannot separately
administer an uptime warranty for different customers)
focus on improved remedies and exit rights for failure
