By Danielle Sheer, Vice President and General Counsel, Carbonite Inc.
HIPAA, SSAE 16, ISAE 3402 (formerly SAS70), SOC 1, SOC 2, SOC 3,
Guess again. These are just a few of the federal regulations the government has enacted to ensure the privacy, security, and integrity of stored information, in the cloud or otherwise. With the proliferation of these data security standards, it is becoming increasingly important for vendors such as cloud backup providers to be diligent about their compliance with these regulations, both to respond to demand from customers, and because there’s an obvious market advantage in offering solutions that support customer compliance.
Enter the recent revisions to HIPAA – the Health Insurance Portability and Accountability Act. The purpose of HIPAA’s Security Rule is to protect an individual's health information, while also permitting the appropriate access and use of that information by health care providers, clearinghouses, and health plans (which HIPAA defines as “Covered Entities”).
On January 25, 2013, the U.S. Department of Health and Human Services (HHS) published a revised set of security and privacy requirements under HIPAA. The HHS’ final HIPAA Omnibus Rule both expands the definition of a “Business Associate” and includes a number of key changes in substantive areas such as direct liability, increased sanctions, breach notification and obligations regarding subcontractors.
Prior to the Act’s revision, HIPAA and HITECH imposed legal requirements on vendors who provided certain outsourced services to “Covered Entities” that were directly regulated by HIPAA, and had access to the protected health information (PHI) collected by the Covered Entity. These vendors were called “Business Associates.” The first significant regulatory change is that the definition of a Business Associate has seemingly been expanded to remove the access requirement and to include any vendor who “creates, receives, maintains, or transmits” (emphasis added) PHI on behalf of a Covered Entity. By substituting this new text in place of “access to ePHI” in the operative terms of the definition, the HHS has fundamentally altered the position of many cloud backup providers.
In short, because the analysis no longer appears to hinge on access to customer ePHI but rather on whether online backup service providers receive or maintain HIPAA-regulated customer data, cloud backup solutions that back up and/or store (in other words, maintain) customer data now fall under the purview of HIPAA.
So, what does this all mean for cloud vendors and their partners?
Cloud Vendors: In order to meet the requirements of Business Associates, vendors must implement administrative, physical, and technical safeguards that help keep protected health information secure, and enter into Business Associate Agreements (BAAs) with Covered Entities.
Partners: When evaluating cloud vendors for your HIPAA-compliant customers, make sure to ask if they are in compliance with the new HIPAA regulations that go into effect on September 23, 2013. Vendors should be able to show you a copy of their BAA and provide you with details on what policies and safeguards they’ve put into place to secure protected health information.
The standards for protection of personal information in our digital world are ever-evolving. With an ever increasing amount of competition in the cloud services industry, it will be interesting to see how compliance in the cloud continues to mature and how companies interpret their responsibilities with the many compliance requirements.
Do you have any comments on the above? Please feel free to share your thoughts below via phone and/or email.