By Mike Semel
Blog: 4Medapproved.com/HITSecurity
Twitter: @SemelConsulting
The HIPAA Omnibus Final RuleĀ (see page 5572) was announced in January, 9 months ago, and was very clear that a business that stores electronic Protected Health Information, even if it doesnāt access it, is a HIPAA Business Associate. Thatās why Google Apps and Amazon Web Services, and many others, each agreed it was a HIPAA Business Associate rather than face the resulting loss of business if they didnāt.
They must have figured out that you donāt have to be a traditional health care business to have to comply with HIPAA. Many companies that support health care providers and payers are HIPAA Business Associates, like lawyers that represent doctors and hospitals in patient lawsuits; accountants that audit health care clients; collections companies; insurance agents, and more. Any patient data stored in their systems is just as protected as a patientās record in a doctorās system.
The HIPAA Omnibus Final Rule says in clear, simple Englishā¦
āā¦an entity that maintains protected health information on behalf of a covered entity is a business associate and not a conduit, even if the entity does not actually view the protected health information.
To help clarify this point, we have modified the definition of ābusiness associateā to generally provide that a business associate includes a person who ācreates, receives, maintains, or transmitsā (emphasis added) protected health information on behalf of a covered entity.ā
Storing data, even if it is encrypted and behind locked cage or cabinet doors, qualifies a data center, cloud service, and online backup provider as a HIPAA Business Associate.
Enforcement was suspended to give everyone time to comply. So why, after enough time to have a baby, are companies that āmaintainā (store) protected health data still denying that they must comply with the law? Ā I have withheld the names of the following companies that are denying they are HIPAA Business Associates.
Just this week I saw the following from an online backup company:
Ā Business Associate Agreement
Our customers have a private encryption key that is self-managed. So a business associate agreement is not required with _____. This covers the reasonable Ā Ā Ā Ā Ā probability that protected health information can be accessed.
Really? Thatās not what the law says.
There is no exemption in the Omnibus Final Rule related to the management of encryption keys so according to the law _____ is a Business Associate.
The reality in the IT world is that small and medium businesses hire outsourced IT companies to manage their networks. Most clients would not know what to do with encryption keys, so they have their IT vendor manage them so their data can be accessed and recovered after a disaster.
While it is virtually impossible to hack into a file protected with 256-bit encryption, it is much easier to hack into many of the weak systems people use to store their encryption keys.
In its HIPAA marketing one large online backup company advertises that you can get to your data āAnytime, AnywhereāĀ provided the user is not managing their own encryption key.
Isnāt that like buying an expensive lock for your door and then hanging the key on the doorknob?
We Promise We Won’t Touch Your Data
A well-respected data center sent this in a contract addendum to a client in response to a request for a Business Associate Agreement:
Customer Data.Ā Ā Ā TheĀ partiesĀ acknowledgeĀ Ā and agreeĀ thatĀ _____Ā doesĀ not requireĀ or requestĀ accessĀ to, use of, or receiptĀ of informationĀ transmitted,Ā stored or processedĀ on or throughĀ the CustomerĀ EquipmentĀ (includingĀ end customerĀ information)Ā (“CustomerĀ Data”) in connectionĀ Ā withĀ theĀ performanceĀ Ā ofĀ ______’sĀ Ā obligationsĀ Ā underĀ theĀ CFA.Ā Ā Ā ______Ā covenantsĀ Ā not toĀ accessĀ orĀ attemptĀ toĀ accessĀ any CustomerĀ Data withoutĀ the prior writtenĀ consentĀ of Customerā¦
Really? Thatās not what the law says.
______ cannot substitute a ācovenant not to access dataā to deny the FACT that according to the law it is a Business Associate. And, there is no exemption for encrypted data. If ePHI is stored in its facility then the data center is a Business Associate.
Don’t Worry, It’s Encrypted
I recently sat in on a webinar put on by an online backup company. Their āHIPAA expertā told their IT reseller partners that āif the health data they came in contact with was encrypted then they were not Business Associates and did not have to sign agreements.ā
Really? Thatās not what the law says.
There is no exemption for encryption so their partners that come in contact with ePHI, even if encrypted, are Business Associates.
To all of you HIPAA-deniers, you can run but you canāt hide. You are a HIPAA Business Associate no matter what you say.
āā¦an entity is a business associate if the person or entity meets the definition of ābusiness associate,ā even if a covered entity, or business associate with respect to a subcontractor, fails to enter into theĀ required business associate contract with the person or entity.ā HIPAA Omnibus Final Rule
If you store ePHI that is encrypted, locked in cages and cabinets, that you swear you will never access, you are a HIPAA Business Associate.
If you wonāt acknowledge your compliance responsibilities under the law, anyone storing ePHI with you is committing a HIPAA data breach, with fines up to $ 1.5 million per occurrence.
If you are running away from HIPAA your customers should be running away from you.
Google Update
āWhen youĀ put your data in Google Apps, you still own it, and it says just that in our contracts.ā
In late September Google quietly began offeringĀ HIPAA Business Associate AgreementsĀ (BAA) to businesses that purchase its premium Google Apps for Business cloud services. BAAās are available on request after you answer just a few basic questions. TheĀ Terms and ConditionsĀ for Google Apps for BusinessĀ guaranty the securityĀ of your information.
IMPORTANT! ā Google is NOT offering Business Associate Agreements to those using their FREE Gmail service. A medical or dental practice using free Gmail to send and receive electronic Protected Health Information is committing a HIPAA data breach because (a) Google will not sign a BAA and (b) Googleās terms and conditions allow them to shareāevenĀ publishā anything in free Gmail.