Cloud computing enables organizations of all types and sizes to operate more efficiently by allowing them to quickly and cost effectively outsource the operation and maintenance of their IT systems. However, the adoption of cloud computing appears to have been slower in the health care industry than in other sectors. While there is no single reason for this lag, concerns around whether cloud providers can comply with the stringent privacy and security regulations in the Health Insurance Portability and Accessibility Act (HIPAA) have affected the adoption of cloud services in this particular industry. Under HIPAA, health care providers, health plans and other "covered entities" are required to maintain the privacy and security of protected health information (PHI).
Subject to the privacy and security rules in HIPAA, covered entities are allowed to disclose certain information to “business associates," generally defined as persons who assist in the performance of functions or activities involving the use and/or disclosure of PHI, or any other activity covered by HIPAA (see 45 C.F.R. 160.103 for the full definition). HIPAA requires each covered entity to have a business associate agreement (BAA) in place to ensure that HIPAA requirements are met by each business associate and that PHI is used only for appropriate purposes. The Health Information Technology for Economic and Clinical Health (HITECH) Act passed in 2009 extended the privacy and security requirements of HIPAA and accompanying penalties to apply to business associates, and required the expanded HITECH rules to be included in BAAs. Therefore, covered entities and their counsel must carefully consider the legal implications involved when entering into a cloud services relationship with a business associate.
Cloud providers handling PHI
There are a number of issues to be considered by covered entity counsel when entering into a contractual relationship with a cloud provider. Chief among these is determining whether the provider is a business associate. While it is difficult to establish a clear-cut standard for evaluating this, the determination comes down to how PHI is used by the provider. If the provider is only responsible for storing PHI, and only the covered entity’s staff has the ability to access the PHI, then the cloud provider is probably not a business associate. However, if the provider’s personnel has access to PHI to perform functions for the covered entity, then that provider would most likely be considered a business associate. Once it is determined that a cloud provider is a business associate, HIPPA requires that the provider enter into a BAA with the covered entity.
A BAA between a covered entity and a cloud provider should address the issues relating to PHI that might arise in the relationship, including:
- Security and privacy controls
- Data ownership
- Breach notification
- Data location
- Protocol after termination
There are a number of model BAAs available. For example, if a cloud provider already has several health care clients, they may be familiar with the requirements for business associates. If the provider is new to this area, however, they may be wary about entering into a BAA, or even balk at doing so entirely. Though the cost of negotiating a BAA with such cloud providers may be expensive, in-house counsel and their covered entities should require the provider to sign a BAA and ensure that it is thoroughly written, lest both parties incur substantial fines and potential damage to their public images.
Unfortunately, unlike brick and mortar service providers, cloud providers have become accustomed to using "clickwrap" agreements. In these cases, a customer enters into a contract simply by clicking an “I Agree” or “OK” button, for the provision of services or the granting of a license to technology. Though few, if any, courts have addressed clickwrap BAAs specifically, clickwrap agreements are generally upheld as enforceable outside of the BAA context as long as they meet certain substantive and procedural requirements.
In their vanilla form, clickwrap agreements typically include vendor-favorable licensing/services terms. These terms, however, may not address the specific obligations imposed on covered entities, which, in turn, must flow down to their business associates. And therein lies a potential trap. While a covered entity and its counsel might be tempted to accept the provider's clickwrap BAA to avoid the time and expense of negotiating a new BAA, it is critical that the BAA contain the appropriate terms in order to comply with HIPAA and HITECH.
In addition, the U.S. Department of Health & Human Services’ Office for Civil Rights (OCR), which administers HIPAA, has stated that electronic agreements qualify as written documents. In the absence of specific standards from HIPAA, however, covered entities must ensure that any electronic signature complies with applicable laws. As such, covered entities and their counsel must be aware of the law in their jurisdiction regarding electronic agreements.
Although an electronic BAA may satisfy the applicable writing requirements, counsel should take note that the OCR is responsible not only for investigating complaints from patients, but also for performing compliance audits. The HITECH Act mandates periodic audits to ensure that covered entities and business associates are complying with the HIPAA privacy and security rules, as well as breach notification standards; 150 of such audits are scheduled to be conducted before the end of this year. Covered entities and business associates must have written or electronic copies of all BAAs in the event they are audited.
Preparation mitigates pitfalls
With the emergence of cloud computing, companies across many industries have the opportunity to do more with less. However, for covered entities and their counsel, this opportunity comes with strings attached, courtesy of HIPAA and the HITECH Act. Therefore, when handing some control of the processing and/or storage of PHI over to a cloud service provider, counsel for a covered entity should guarantee that the chosen provider will treat PHI with appropriate care. To do this, they should enter into a BAA so that any PHI provided to the provider is in safe hands. By taking the proper precautions, both parties can avoid the potential pitfalls.