Google, Amazon Adjust to HIPAA DemandsCloud Vendors Signing Business Associate Agreements
The HIPAA Omnibus Rule spells out that business associates, including many cloud vendors, must now comply with HIPAA. But some of the largest vendors offering cloud services had resisted signing HIPAA business associate agreements with healthcare clients.
In recent weeks, however, Google and Amazon have quietly begun offering standardized business associate agreements to healthcare clients using some of their cloud services. Security and privacy experts say the shift reflects persistent demands for HIPAA compliance from healthcare entities.
Compliance Check Up
As a result of the partial government shutdown, the Department of Health and Human Services' Office for Civil Rights, which enforces HIPAA, is virtually closed. So now's an especially good time to catch up with HIPAA Omnibus Rule compliance work that might have slipped through the cracks before the Sept. 23 enforcement deadline kicked in. That includes taking inventory of business associate agreements with vendors, including cloud services providers, both large and small.
The HIPAA Omnibus Rule spells out a new, broader definition of a business associate as an entity that creates, receives, maintains or transmits protected health information for a function or regulated activity. "As a result, many cloud vendors are business associates that now must comply with HIPAA," says attorney Stephen Wu, a partner at Cooke Kobrick & Wu LLP (see: Cloud Computing Compliance Issues).
In late September, Google quietly began offering business associate agreements to healthcare clients using Google Apps, such as e-mail. Google declined to discuss details of its standardized agreements with Information Security Media Group. However, here's what Google's website says:
"Ensuring that our customers' data is safe, secure and always available to them is one of [Google's] top priorities. To demonstrate our compliance with security standards in the industry, Google has sought and received security certifications such as FISMA, ISO 27001, and SSAE 16. For customers who are subject to the requirements of HIPAA, Google Apps can also support HIPAA compliance.
"Under HIPAA, certain information about a person's health or health care services is classified as PHI. Google Apps customers who are subject to HIPAA and wish to use Google Apps with PHI must sign a business associate agreement with Google. ... Customers who have not entered into a BAA with Google must not use Google services in connection with PHI."
Amazon also recently quietly began offering business associate agreements to its healthcare customers.
"Amazon Web Services has offered BAAs to its customers since mid-2013," says an Amazon spokeswoman. "This agreement enables AWS healthcare and life sciences customers to continue to leverage AWS for a wide range of industry use cases and to remain compliant with the existing regulations under HIPAA and the new [HIPAA Omnibus] final rule."
Google and Amazon finally agreeing to enter business associate agreements is a significant development, says security consultant Tom Walsh.
"Most of my healthcare clients have not been using Google Apps because, prior to just recently, Google refused to sign a BAA," he says. "This was a point of contention with several academic medical centers as the university side of the house wanted Google apps but the medical schools stated that they could not use Google because PHI may be contained in the apps ... and they had no signed BAA with Google."
But the business associate agreement Google is offering is "very generic," says Walsh, who has seen the contracts. "It has to be [generic] to work with such a wide variety of organizations. But it's the tail wagging the dog. The covered entities are supposed to drive the BAA process, not the business associate. But like many of the super-large vendors out there, Google does not want to have to have their lawyers review hundreds of BAAs from every single healthcare organization that they work with."
Privacy and security attorney Gerard Stegmaier of the law firm Wilson Sonsini Goodrich & Rosati says that many vendors, including cloud providers, are under pressure to sign business associate agreements with healthcare clients, even when the vendors aren't convinced they are business associates.
"Generally speaking, many SaaS and cloud services companies are undertaking reviews of HIPAA's requirements and evaluating their ability to meet the requirements of standard BA agreements regardless of whether they are, in fact, a BA," he says. "The practical reality is that many covered entities are requiring [business associate agreements] of vendors and suppliers, and there is a competitive race to address customers' privacy, security and compliance requirements. Many service providers believe cloud services are intrinsically more secure and are proactively working to demonstrate this belief to customers."
But many data center-related services maintain they are not BAs under the rules, and many companies are evaluating the risks on a case-by-case basis and documenting their decisions, Stegmaier says. "Whether a service provider 'maintains' PHI remains a tricky question with serious consequences," he says.
Still Some Holdouts
While some cloud vendors - including large ones like Google and Amazon - are caving in to signing agreements, a few other categories of vendors are still resisting, Walsh says.
"Some medical device manufacturers refuse to sign BAAs even though their representatives are in the operating room while the device is being implanted into a patient, and the company collects and stores patient information in the event that there is ever a product recall," Walsh says.
"On the other hand, there are healthcare clients that make every contractor sign a BAA even if the contractor is not a BA," he adds. "Many contractors do not 'create, receive, maintain, or transmit PHI on behalf of a covered entity' as part of furnishing their services. So why are they forced to sign a BAA in order to do business with a healthcare organization?"
It's important to remember that even when a reluctant vendor finally signs a business associate agreement, that's only one step toward HIPAA compliance, experts note.
"Having a cloud solution doesn't mean your organization should be hands-off," warns Lee Kim, director of privacy and security at the Healthcare Information and Management Systems Society.
Stegmaier offers a similar observation: "While the focus on compliance is good, it can be easy to lose sight of the statutory goal, which is the reasonable protection of PHI. The first line of defense is the people who have direct relationships with patients because they have the best idea of the sensitivity of the information they receive."
Covered entities should keep in mind that agreements and contract renewals signed with business associates after Jan. 25, which was when the HIPAA Omnibus final rule was published in the Federal Register, were required to be modified by Sept. 23 to reflect changes in the regulations. However, BA contracts signed before Jan. 25 have until Sept. 23, 2014, to be modified.