Safeguarding PHI OCR releases guidance on HIPAA and cloud computing BY NAWA ARSALA

In 2016 alone, there were 329 Health Insurance Por- tability and Accountabil- ity Act of 1996 (HIPAA) breaches of protected

health information (PHI) that affected 500 or more individuals. Two hun- dred and fifty-four of those breaches involved electronic protected health information (ePHI). Due to the increased use of cloud

services in the health care setting, the US Department of Health & Human Services Office for Civil Rights (OCR) shared guidance on how to comply with HIPAA using this innovative technology. The guidance explains that if your facility is using a cloud ser- vice provider (CSP) to create, receive, maintain or transmit ePHI, for exam- ple, to process or store ePHI, the CSP is considered a business associate and you must have a business associate agreement with it. The guidance further explains that

even if the PHI is encrypted when it is linked to the cloud, the CSP is still a business associate and subject to HIPAA regulations. Encryption in this setting means that the CSP cannot view the information because it is con- verted into a code to prevent unauthor- ized access. This is just one additional layer to password protection to safe- guard PHI. The fact that the CSP will not be able to view the PHI because it is encrypted and, yet, is still required to have a business associate agreement, highlights the importance OCR places on maintaining the written agreement with all of the parties that handle PHI. Moreover, the guidance explains that if the cloud service provider subcontracts any other work, the health care provider also must have a business associate agreement with that subcontractor.

The guidance explains that if your facility is using a cloud service provider (CSP) to create, receive, maintain or transmit ePHI, the CSP is considered a business associate and you must have a business associate agreement with it.”

—Nawa Arsala, ASCA

Business associate agreements are a written requirement, but these alone do not completely protect a health care provider from penalties as a result of a potential breach. ASCs also should ensure that they are safeguarding their PHI by following the requirements explained in the Security Rule. These requirements are presumably already implemented in an ASC’s HIPAA com- pliance program.

Remote Accessibility Unlike data stored on a computer hard drive, data stored using cloud storage technology is accessible remotely. For example, instead of saving PHI on their

20 ASC FOCUS MAY 2017 |

office’s desktop computer, authorized users can store that information “on the cloud” and later access that infor- mation through the Internet from any location. Cloud computing has been successful in many industries, espe- cially in the health care industry, for several reasons. First, if data is saved on a computer hard drive and that com- puter is not accessible because it has been damaged, broken or stolen, or has gone missing, that information is no longer accessible. Many health care providers safeguard PHI by backing it up on external hard drives. These hard drives can be stored in the same build- ing or at an off-site location. However,

Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30