Did you know if you’re a cloud service provider you are required to sign a business associate agreement (BAA) if the healthcare organization you’re working with is handling protected health info (PHI)? Why is it so important not just to be reliable but also HIPAA compliant cloud?
Last week the U.S. Department of Health and Human Services released useful guidance clarifying that a business associate agreement is required for cloud service providers that could be storing PHI on behalf of healthcare organizations (even if they don’t know it). This includes providers like Amazon Web Services (AWS) or Dropbox, and is true whether a healthcare organization is using these services or they are being utilized by one of the business associates they’re contracting with.
Additionally, the HHS guidance clarified that a BAA is required even if the cloud storage provider has no access to the PHI because it is encrypted by you, and the cloud provider does not have access to the encryption key. There was some debate on this topic before the guidance, but now it is clear a BAA is required even if the cloud provider cannot access the information. As the guidance points out, the cloud provider still has persistent access (as opposed to transient access that allow for the conduit exception to apply), and must maintain various safeguards to ensure the PHI is maintained in its encrypted state.
Many of the major cloud storage provers (most notably AWS) have been willing to execute BAAs for some time. If you’re a healthcare organization and you’re storing PHI in the cloud and do not have a BAA in place with the cloud provider, you must execute one in short order. Most likely you do not have a BAA in place because the cloud provider is unaware you are storing PHI on their systems. Once you make them aware, it is likely they will willingly sign a BAA.
Safely Storing PHI In The HIPAA Compliant Cloud
HIPAA enforcement officials have taken a renewed interest in how much patients are being charged for a copy of their PHI. According to recently released HHS guidance, OCR is specifically interested in ensuring patients have free access to inspect their PHI and can obtain copies of their PHI (in whole or in part) for only what it costs to create the copy. (Note to California readers: California law stipulates a cost of 25 cents per page for copies, plus reasonable clerical fees, for PHI maintained in paper form).
Viewing and Inspecting PHI
Simply put, a covered entity cannot charge patients who request to view and inspect their PHI. In addition, patients are permitted to take notes while they are inspecting their own PHI, and can even take pictures of documents (electronic or paper) without incurring any charges.
Copies of PHI
Alternatively, covered entities can charge reasonable costs directly associated with providing an individual a copy of their PHI. The individual must be informed in advance that a fee will be charged and an estimate of the fee associated with providing the copies. The fee itself can only be for the labor, supply, and postage costs associated with the copy request. Any costs associated with reviewing the request or retrieving the requested PHI cannot be charged to the individual.
There are three primary ways to calculate the costs associated with providing copies of PHI. The first is the actual cost. This would include the actual labor costs associated in making the copy, as well as any material costs (paper, USB drive), and postage. Second, is developing an average cost schedule for standard types of access requests. A per page fee is an example of an average cost, however, per page fees are not permitted for paper or electronic copies of PHI maintained electronically. Finally, is a flat fee (not to exceed $6.50) for electronic copies of PHI which are maintained electronically.
Admittedly, this is an exceptionally dry aspect of an already dry regulation, but it is one that OCR is looking at with an increased focus. Therefore, it is important that you have a policy and procedure in place which outlines what fees (if any) you charge for copies of PHI, and how you facilitate a request to inspect PHI.
HHS recently issued guidance to help determine when a mobile application developer is a business associate (BA) and when they are not. As you may be aware, if an application developer is a BA, then HIPAA applies. Two simple questions help determine when an application developer is a BA:
- Who is the app developers customer? If they are providing the service directly to the consumer, they are not a BA. If they have some type of relationship with a provider or health insurance plan to offer services to their clients, they would be a BA.
- Who controls whether to transmit health data from the app to third parties? If the consumer makes all of those decisions, the app developer is not a BA. If someone else is making the decisions whether to transfer heath data to third parties, the app developer likely is a BA.
As you can see, the simplest way to determine whether an application developer is a BA is simply by analyzing who does the developer have the direct relationship with. If it is a covered entity (or their BA), the developer is a BA. If the developer has the most direct relationship with the consumer, they are likely not a BA.
However, even if an application developer is not a BA they should still implement reasonable security and privacy features into their product. They may not have an obligation to meet HIPAA, but they are not absolved of all duty to secure health information.
The U.S. Department of Health and Human Services (HHS) phase two HIPAA audits are expected to start very soon. The HIPAA HITECH Express Team has prepared a primer on where we have been, where we are going, and what you can do now to prepare for a phase two of the upcoming HIPAA audits.
There is much to do to be prepared for a HIPAA audit, and time is running out. It is best to prepare now. A hurried response to an audit request will likely lead to poor performance. For information on what you can do today, please click here to download our primer.