Health Plans, the Cloud, and HIPAA Privacy and Security
Increasingly, employer-sponsored health plans and their third-party administrators (TPAs) or insurers (as well as health care providers) are interested in storing information in the cloud. Most of that information is Protected Health Information (PHI) and subject to the privacy and security rules under the Health Insurance Portability and Accountability Act (HIPAA). Any health plan or TPA that is considering storing PHI in the cloud should be aware of special HIPAA issues that will need to be addressed as part of the process of deciding whether to use cloud resources and negotiating contracts for cloud services.
The term cloud computing refers to a form of outsourcing computing services. The National Institute of Standards & Technology (NIST) defines cloud computing as "a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction."1 In plainer language, cloud computing gives users on-demand access to computing resources from any user location, with the ability to increase or decrease capacity as needed, by utilizing shared resources that are available to many users. One of the goals of using the cloud is to reduce user costs by reducing the user's investment in personnel, hardware (and sometimes in software, also), instead shifting those costs to the cloud provider. In theory, the cloud provider can allocate those costs over a large number of customers and achieve economies of scale that a single user cannot. Other predicted advantages of cloud computing include greater convenience and efficiency for users who can access and utilize the cloud resources from any location and with a variety of devices, and the ability of users to have access to greater or lesser computing capacity, as needed to satisfy workload and data storage requirements, and reduction of the software footprint on the user's in-house systems.
Cloud Service Models
Clouds come in several varieties. Some are public and are used by multiple customers of the cloud provider with the data of the various users intermingled (although with safeguards and security measures in place to limit access and preserve the privacy and security of each user's data). Other clouds are private, with access available only to a single organization. There are also community clouds, which allow access to more than one user but not to the public.2
The services provided through the cloud also differ, and NIST has identified three service models.
- Software as a Service (SaaS) makes applications that are owned or licensed by the cloud provider available to users on demand, with the cloud provider responsible for updating software, installing patches, and ensuring that the software licenses are properly maintained (e.g., Google Apps for Business offers SaaS). SaaS users can achieve savings by avoiding purchasing their own software licenses and maintaining their software, with those responsibilities shifted to the cloud provider.
- Platform as a Service (PaaS) gives the user access to tools that are maintained by the cloud provider and that can be used to develop applications and to make those applications available to the user's customers (e.g., both AT&T and Oracle offer PaaS).
- Infrastructure as a Service (IaaS) gives the user access to traditional computing resources, such as storage and processing, with the ability to use operating systems and applications of the user's own choosing (e.g., Box.com offers IaaS). This model requires the user to retain responsibility for licensing, updating, and patching its software and applications, and usually requires the user to have a larger information technology staff than the other models. 3
Health plans and TPAs are most likely to be interested in SaaS or IaaS. On the other hand, developers of software and applications for use by health plans or other covered entities might be interested in PaaS and might make their products available to health plans through their PaaS cloud providers.
Cloud Risks and Advantages
While use of a cloud model might reduce costs and provide greater efficiency and convenience for users, it also adds risks. Clouds are subject to all of the privacy and security risks that can affect user-owned computer systems, including hacking, user error, and system failures that result from natural disasters, power outages, or technological problems. In addition, use of the cloud gives rise to concerns that might not affect a user-owned system. For example, when data is moved to the cloud, the user gives up some degree of control so that the cloud provider can implement uniform administrative protocols, move data as required to meet the needs of other customers, or provide services such as encryption or archiving. Also, clouds may be more attractive hacking targets than user-owned systems, because of the much greater concentration of data in the cloud.
But cloud users may also achieve improved privacy and security, because many cloud providers automatically encrypt information, establish system-wide privacy and security protocols, store multiple copies of data at separate locations so that a system outage at one location does not make the data unavailable, and offer users access to tools that the user can configure to establish additional privacy and security safeguards.
In order to minimize risks while maximizing savings, efficiency, and convenience, health plans and TPAs that are moving PHI to the cloud should negotiate the terms of their contracts with cloud providers carefully. Currently, some public cloud providers offer their services only on a nonnegotiable basis, based on the theory that one size fits all. That approach not only ignores the differences among various business sectors (e.g., a health plan or TPA has much different needs than a retailer), it also ignores the special privacy and security protections that must be implemented for PHI.
Business Associate or Conduit?
One of the first issues that a health plan must consider before moving PHI to the cloud is whether the cloud provider is a business associate under HIPAA. In general terms, a person or entity is a business associate if it either performs or assists in performing functions or activities for a covered entity (CE), or provides services to a CE, that involve the use or disclosure of PHI.4 Whether storage of PHI in the cloud by a CE is enough, by itself, to bring a cloud provider within the definition of a business associate is unclear. Although some representatives of HHS have stated the opinion that cloud providers that hold PHI are business associates, a better analysis might require consideration of whether and to what degree the cloud provider has access to the PHI and whether the cloud provider will use the PHI in addition to storing it. For example, if a CE stores PHI in the cloud and the cloud provider has complete access to the PHI (an "open box" model), the cloud provider seems clearly to be a business associate. On the other hand, if a CE stores PHI with a cloud provider and the contract prohibits the provider from accessing the PHI (a "sealed box" model), the provider might not fit the definition of a business associate. In practice, though, many cloud providers have some limited access to stored data (a "flip-top box" model)--for example, to assist the cloud user if there are access problems. Whether the cloud provider with a flip-top box model is a business associate is unclear; instead the cloud provider might qualify for the conduit exception.
The conduit exception was first set out in the Preamble to the final privacy rule in response to questions about the business associate status of the U.S. Postal Service, private couriers, and their electronic equivalents. Conduits transport information but do not access it "other than on a random or infrequent basis as may be necessary for the performance of the transportation service, or as required by law. Since no disclosure is intended . . . and the probability of exposure of any particular [PHI] to a conduit is very small," a conduit is not a business associate.5 Although there are differences between a cloud provider that stores PHI and a courier that only transports PHI, a cloud provider with a flip-top box model is similar to a conduit in many respects. For example, the cloud provider does not access PHI except on a random or infrequent basis as necessary to assist the CE; no disclosure of PHI to the cloud provider is intended; and the likelihood of exposure of PHI is small. Whether HHS will agree that a cloud provider with a flip-top box model is a conduit rather than a business associate remains unknown. Therefore, the most cautious CEs will want a business associate agreement with any cloud provider that will hold PHI.
Similarly, a TPA that is a business associate will need to determine what (if any) obligations it must flow down to the cloud provider. Although HIPAA requires business associates to obtain certain undertakings from their agents and subcontractors relating to the use, disclosure, and protection of PHI, the HITECH Act imposes on business associates increased obligations to pass along to their agents and subcontractors HIPAA responsibilities.6 Therefore, TPAs that wish to move PHI to the cloud should engage in the same analysis that CEs should undertake in deciding whether to require a business associate agreement.
Negotiating Cloud Contracts
If a health plan or a TPA makes the decision to move PHI to the cloud, it should be prepared to address with the cloud provider a number of contract and business associate agreement issues that present special difficulties in a cloud environment, including the following:
- Security and Privacy. The HIPAA privacy and security regulations both include specific requirements for provisions that must be incorporated in business associate agreements.7 However, some of those requirements (such as the provisions giving individuals the right to access and request amendments to their PHI that is held in designated record sets8) are an awkward fit for a cloud provider that merely receives data from its customer, stores it, perhaps encrypts and archives it, and gives the customer access to it. In many instances, the cloud provider will not know which data are PHI or which are held in designated record sets.
- User Tools. Many cloud providers offer their customers not only the providers' built-in, enterprise-wide privacy and security protections, but also tools that the customers can configure to establish additional privacy and security safeguards. Before contracting with a cloud provider, a CE or business associate should understand whether such tools are available and how the tools will allow the user to increase the level of privacy and security protection.
- Encryption. The HIPAA security regulations address encryption at rest and in transmission as addressable implementation specifications.9 Many cloud providers automatically encrypt data upon receipt, but even if encryption is an optional service, CEs and business associates should contract for it. Encryption adds a layer of protection to PHI, and if the encryption is done in a manner that meets HHS requirements, the encrypted PHI is not subject to the breach notification obligations under the HITECH Act.10 If data will be encrypted by the cloud provider, the service contract should address who will hold the encryption keys and, if the provider will hold a key, the conditions under which the provider is permitted to use it.
- Data Location. Many cloud providers store redundant copies of uploaded data in multiple locations, as part of their effort to ensure availability in the event of a natural disaster or other service outage in one or more locations. Although HIPAA does not require PHI to be held within the U.S., allowing PHI to be stored outside of the U.S. may create difficulties in the event of a breach or other impermissible use or disclosure of the PHI. Issues of personal jurisdiction, venue, service of process, conflicts of laws, and significantly different data protection laws can all make protection of data outside the U.S. difficult, and the cautious CE or business associate will require that all of its data be held within the U.S.
- Return of Data. The HIPAA privacy regulations require business associate agreements to provide for the return or destruction of PHI at the termination of a business associate relationship.11 Therefore, if PHI will be held by a cloud provider, the service contract should provide for secure data deletion, upon the cloud user's request, and within a specified time after the request is made.
- Contingency Planning and Disaster Recovery. The HIPAA security regulations address contingency planning and disaster recovery in several provisions.12 Cloud providers can often provide better protection in the event of outages or disasters than is provided by user-owned systems. Nonetheless, the service contract with a cloud provider should address the specific requirements to be met by the provider.
- Service Level Agreements (SLAs). SLAs document the metrics by which the cloud provider's performance will be measured and establish the penalties the cloud provider must pay, or other remediation that the provider must undertake, if the performance falls short. What should be included in the SLAs will depend, in part, on what kind of services the user is purchasing. But all cloud users will want to include, for example, SLAs that cover system availability, customer service response times, system response speed, responsiveness to load changes, and disaster recovery time.
Cloud service providers might or might not be business associates under HIPAA, but negotiation of contractual provisions (and business associate agreement provisions, if applicable) with a cloud provider that will hold PHI for a health plan or TPA needs to be approached with a clear understanding of what services the user is purchasing and how cloud providers differ from entities that are ordinarily considered business associates. Cloud provider contracts and business associate agreements with cloud providers are not one-size-fits-all and should be negotiated carefully to protect PHI in a manner that accurately reflects the capabilities of the parties.
Christine A. Williams, Perkins Coie LLP, Los Angeles, CA.
1NIST Special Publication 800-146, May 2012, p. 2.1, "Cloud Computing Synopsis and Recommendations," available at http://csrc.nist.gov/publications/nistpubs/800-146/sp800-146.pdf (as visited Nov. 1, 2012).
2NIST Special Publication 800-146, May 2012, p. 2.2, "Cloud Computing Synopsis and Recommendations," available at http://csrc.nist.gov/publications/nistpubs/800-146/sp800-146.pdf (as visited Nov. 1, 2012).
3NIST Special Publication 800-146, May 2012, pp. 2.1-2.2, "Cloud Computing Synopsis and Recommendations," available at http://csrc.nist.gov/publications/nistpubs/800-146/sp800-146.pdf (as visited Nov. 1, 2012).
445 C.F.R. § 160.103.
565 Fed. Reg. 82462, 82476 (Dec. 28, 2000).
6At the time this is being written, the final regulations to implement many of the provisions of the HITECH Act have not been issued. The final regulations are expected to impose heightened flow-down requirements on business associates.
7 45 C.F.R. § 164.314 (security); 45 C.F.R. § 164.504 (privacy).
845 C.F.R. §§ 164.524, 164.526.
945 C.F.R. §§ 164.312(a) and 164.312(e).
1045 C.F.R. § 164.402.
1145 C.F.R. § 164.504(e)(2).
12E.g., 45 C.F.R. §§ 164.308(a)(7); 164.310(a)(1) and (d)(1); 164.312(a)(1).