Where In The Cloud Is Your PHI?

Where In The Cloud Is Your PHI?

Storing Protected Health Information (“PHI”) in the cloud can be a very useful thing for covered entities and business associates.  As we know, HIPAA does permit storing PHI in the cloud if the cloud storage provider executes a Business Associate Agreement.  However, do you know exactly where that PHI is stored by the cloud provider?  In some instances the cloud storage vendor might store, backup, or process the PHI in an overseas location.  How do you protect the PHI, and yourself, in such a situation?

HIPAA does not specifically forbid storing PHI in an offshore location (some states do forbid storing Medicaid data offshore), but it does create challenges.  First, you must determine where your cloud vendors will be storing the information, and whether it will be offshore or not.  If it is offshore, you need to determine the specific location and what local rules might apply to the PHI. Local laws in the international jurisdiction where PHI might be stored might actually allow for access to the data that would be in violation of HIPAA.  The duty is on you, as you contract with the cloud provider, to determine if the security efforts are sufficient or if the location of the data will pose any risks. Furthermore, offshore cloud providers might not be bound by HIPAA, but you – presumably operating in the United States – are.  If your international cloud provider is at fault for a breach but cannot be held accountable, you might determined to be liable even if the only action you took was selecting the wrong vendor.

Without question, storing PHI offshore brings unique challenges. Whether they are worth it or not can only be answered by you. However, if you are considering a vendor that will store PHI internationally, be sure to conduct a risk assessment to ensure you are not putting PHI in increased or unnecessary risk.

Emergency Preparedness Best Practices

Emergency Preparedness Best Practices

In the wake of two damaging hurricanes, the topic of emergency preparedness is at the top of mind for many Covered Entities and Business Associates. The goal of emergency preparedness is to ensure electronic protected health information (ePHI) is secure, and the confidentiality, integrity, and availability of ePHI is not jeopardized both during and after an emergency.

Effective emergency preparedness consists of having a contingency plan which includes a data backup plan, disaster recovery plan, and emergency mode operation plan.  The disaster recovery plan ensures that you have accurate backups of the ePHI, while the disaster recover plan is how you recover from those backups.  The emergency mode operation plan outlines how ePHI will remain secured during the course of the emergency.  While not specifically required, your organization should consider testing your contingency plan and revise it as necessary.

When thinking about putting you plan together, you can follow a seven step process,

  1. Assess your situation;

  2. Identify risks;

  3. Formulate an action plan;

  4. Decide if and when to activate your plan;

  5. Communicate the plan;

  6. Test the plan; and

  7. Treat the plan as an evolving process.

While this process is linear, these steps can take considerable time to finalize.  If you don’t have a contingency plan in place now, you should begin the process to develop and implement one as soon as possible.

Can I Send Patient Information To…?

Can I Send Patient Information To…?

One of the most common questions I hear is, “Can I send patient information to…” with a plethora of situations and organizations completing that sentence.  Not only is this one of the most common questions, but it is also one of the most fundamental from a patient privacy perspective. I encourage everyone to analyze their unique environment and create a reference guide that captures typical disclosures for your organization.  Include when disclosure is appropriate, inappropriate, and when the Privacy Officer should be consulted.

The reference guide should be developed by analyzing the three types of disclosures of Protected Health Information (“PHI”),

  • Required Disclosures:  The instances in which the PHI must be disclosed include,

    • To individuals when requested for access or an accounting of disclosures; and

    • To the Secretary of U.S. Department of Health and Human Services when conducting a compliance investigation, review, or enforcement action.

  • Permitted Disclosures:  These are situations in which the PHI may be disclosed without the patient’s consent, but you are under no obligation to disclose at all.  Permitted disclosures include,

    • For treatment, payment, and healthcare operations to another covered entity or a business associate with whom you have an executed business associate agreement;

    • With the opportunity to agree or object:  Examples include inclusion in a facility directory, and to family, friends, or others involved in the patient’s care or payment for care;

    • Use or disclosure incidental to a disclosure that is otherwise permitted;

    • Public interest and benefit activities, including when required by statute, regulation or court order, for public health activities, victims of abuse, neglect or domestic violence, for health oversight activities, for law enforcement purposes, and several others (find the full list here); and

    • In a limited data set, which is data set which has specified direct identifiers removed for research, operations or public health purposes.

  • Authorized Disclosures:  Authorized disclosures include any disclosure that is not required or permitted.  These disclosures can only be made pursuant to a patient’s authorization.  Patient’s have wide deference in deciding what disclosures to authorize and duly authorized disclosures must be made unless it will bring harm to the patient.  Authorization must include specific items, such as,

    • Be in plain language;

    • Be specific about the information to be disclosed;

    • Identify who is disclosing and receiving;

    • Include a time or event for expiration; and

    • Permit the authorization to be revoked in writing.

While the healthcare industry becomes more complex by the day, all disclosures will still fit into one of these three categories. If it is not permitted or required, it must be authorized by the patient.  By placing typical disclosures within your organization into one of these three categories, you will be able to answer the question of whether you may send the patient information or not. For any atypical disclosures, that do not fit neatly into one of these groups, consult your Privacy Officer for the final determination.

What To Do About Insecure Business Associates

What To Do About Insecure Business Associates

As a Covered Entity or a Business Associate, you know you need Business Associate Agreements with entities that perform a service or a function for you which requires access to Protected Health Information (“PHI”) to carry out (these are Business Associates or subcontractors).  A required element of Business Associate Agreements is that you will not transfer PHI to entities you know are not properly securing the PHI.  Therefore, what should be done in instances when you discover a Business Associate or subcontractor that is not adequately securing PHI?

The first step is see if the issue can be resolved, or to ‘cure.’ Send the Business Associate written communication putting them on notice that they have a specific time (i.e. 30 days) to correct the issue and secure the PHI, otherwise, the contract will terminate and the exchange will end.  The best case scenario is that they cure the issue within the specified time. If the issue is not corrected in time, then the contract can terminate and the exchange of PHI should end.  The only exception would be if termination is not feasible, for instance because there are no other viable options for the service.  In which case, you must notify the HHS Office for Civil Rights of the potential breach.

As the exchange of PHI becomes more prevalent and complex, the chain of trust on which the PHI is exchanged becomes increasingly important.  If one link within that chain is weak, it must be strengthened or removed.