HIPAA Business Associate Avoidance and Google Update

By Mike Semel
Blog: 4Medapproved.com/HITSecurity
Twitter: @SemelConsulting

The HIPAA Omnibus Final RuleĀ (see page 5572) was announced in January, 9 months ago, and was very clear that a business that stores electronic Protected Health Information, even if it doesnā€™t access it, is a HIPAA Business Associate. Thatā€™s why Google Apps and Amazon Web Services, and many others, each agreed it was a HIPAA Business Associate rather than face the resulting loss of business if they didnā€™t.

They must have figured out that you donā€™t have to be a traditional health care business to have to comply with HIPAA. Many companies that support health care providers and payers are HIPAA Business Associates, like lawyers that represent doctors and hospitals in patient lawsuits; accountants that audit health care clients; collections companies; insurance agents, and more. Any patient data stored in their systems is just as protected as a patientā€™s record in a doctorā€™s system.

The HIPAA Omnibus Final Rule says in clear, simple Englishā€¦

ā€œā€¦an entity that maintains protected health information on behalf of a covered entity is a business associate and not a conduit, even if the entity does not actually view the protected health information.

To help clarify this point, we have modified the definition of ā€œbusiness associateā€ to generally provide that a business associate includes a person who ā€œcreates, receives, maintains, or transmitsā€ (emphasis added) protected health information on behalf of a covered entity.ā€

Storing data, even if it is encrypted and behind locked cage or cabinet doors, qualifies a data center, cloud service, and online backup provider as a HIPAA Business Associate.

Enforcement was suspended to give everyone time to comply. So why, after enough time to have a baby, are companies that ā€˜maintainā€™ (store) protected health data still denying that they must comply with the law? Ā I have withheld the names of the following companies that are denying they are HIPAA Business Associates.

Just this week I saw the following from an online backup company:

Ā Business Associate Agreement

Our customers have a private encryption key that is self-managed. So a business associate agreement is not required with _____. This covers the reasonable Ā  Ā  Ā  Ā  Ā probability that protected health information can be accessed.

Really? Thatā€™s not what the law says.

There is no exemption in the Omnibus Final Rule related to the management of encryption keys so according to the law _____ is a Business Associate.

The reality in the IT world is that small and medium businesses hire outsourced IT companies to manage their networks. Most clients would not know what to do with encryption keys, so they have their IT vendor manage them so their data can be accessed and recovered after a disaster.

While it is virtually impossible to hack into a file protected with 256-bit encryption, it is much easier to hack into many of the weak systems people use to store their encryption keys.

In its HIPAA marketing one large online backup company advertises that you can get to your data ā€œAnytime, Anywhereā€Ā provided the user is not managing their own encryption key.

Isnā€™t that like buying an expensive lock for your door and then hanging the key on the doorknob?

We Promise We Won’t Touch Your Data

A well-respected data center sent this in a contract addendum to a client in response to a request for a Business Associate Agreement:

Customer Data.Ā Ā Ā  TheĀ  partiesĀ  acknowledgeĀ Ā  and agreeĀ  thatĀ  _____Ā  doesĀ  not requireĀ  or requestĀ  accessĀ  to, use of, or receiptĀ  of informationĀ  transmitted,Ā  stored or processedĀ  on or throughĀ  the CustomerĀ  EquipmentĀ  (includingĀ  end customerĀ  information)Ā  (“CustomerĀ  Data”) in connectionĀ Ā  withĀ  theĀ  performanceĀ Ā  ofĀ  ______’sĀ Ā  obligationsĀ Ā  underĀ  theĀ  CFA.Ā Ā Ā  ______Ā  covenantsĀ Ā  not toĀ  accessĀ  orĀ  attemptĀ  toĀ  accessĀ  any CustomerĀ  Data withoutĀ  the prior writtenĀ  consentĀ  of Customerā€¦

Really? Thatā€™s not what the law says.

______ cannot substitute a ā€œcovenant not to access dataā€ to deny the FACT that according to the law it is a Business Associate. And, there is no exemption for encrypted data. If ePHI is stored in its facility then the data center is a Business Associate.

Don’t Worry, It’s Encrypted

I recently sat in on a webinar put on by an online backup company. Their ā€˜HIPAA expertā€™ told their IT reseller partners that ā€œif the health data they came in contact with was encrypted then they were not Business Associates and did not have to sign agreements.ā€

Really? Thatā€™s not what the law says.

There is no exemption for encryption so their partners that come in contact with ePHI, even if encrypted, are Business Associates.

To all of you HIPAA-deniers, you can run but you canā€™t hide. You are a HIPAA Business Associate no matter what you say.

ā€œā€¦an entity is a business associate if the person or entity meets the definition of ā€œbusiness associate,ā€ even if a covered entity, or business associate with respect to a subcontractor, fails to enter into theĀ  required business associate contract with the person or entity.ā€ HIPAA Omnibus Final Rule

If you store ePHI that is encrypted, locked in cages and cabinets, that you swear you will never access, you are a HIPAA Business Associate.

If you wonā€™t acknowledge your compliance responsibilities under the law, anyone storing ePHI with you is committing a HIPAA data breach, with fines up to $ 1.5 million per occurrence.

If you are running away from HIPAA your customers should be running away from you.

GMail logoGoogle Update

ā€œWhen youĀ put your data in Google Apps, you still own it, and it says just that in our contracts.ā€

In late September Google quietly began offeringĀ HIPAA Business Associate AgreementsĀ (BAA) to businesses that purchase its premium Google Apps for Business cloud services. BAAā€™s are available on request after you answer just a few basic questions. TheĀ Terms and ConditionsĀ for Google Apps for BusinessĀ guaranty the securityĀ of your information.

IMPORTANT! ā€“ Google is NOT offering Business Associate Agreements to those using their FREE Gmail service. A medical or dental practice using free Gmail to send and receive electronic Protected Health Information is committing a HIPAA data breach because (a) Google will not sign a BAA and (b) Googleā€™s terms and conditions allow them to shareā€”evenĀ publishā€” anything in free Gmail.