Many regulatory requirements that impact cloud computing were enacted before cloud computing came into existence. As a result, they don't directly or effectively address issues that can arise because of the cloud, leaving both client organizations and cloud vendors without clear guidance on how to comply. While such laws are typically updated at a much slower pace than the cloud evolves, now that the cloud is becoming more established, some regulations are starting to catch up. A case in point is the Health Insurance Portability and Accountability Act (HIPAA).
HIPAA establishes national standards to protect people's electronic protected health information (PHI) and requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity and security of electronic PHI. Any organization in the U.S. contemplating moving a function involving PHI to the cloud needs to thoroughly understand HIPAA and comply with it.
HIPAA was initially enacted August 21, 1996, more than a year before the first known academic usage of the term "cloud computing" and more than a decade before most businesses were even considering the possibility of entrusting data to cloud vendors. A significant modification to the act was issued on January 25, 2013. While none of this modification's 138 pages specifically mentions cloud computing, the changes it contains are applicable and should be fully absorbed by your cloud-computing team.
To use the language of HIPAA, a client organization moving a function that involves PHI to the cloud would be what is identified as a "covered entity." A vendor that creates, receives, maintains or transmits PHI on behalf of a covered entity would be what is called a "business associate." While HIPAA doesn't specifically identify cloud computing vendors as business associates, they clearly fall within this scope.
Historically, covered entities have been directly responsible for HIPAA compliance, with business associates only indirectly responsible via a business associate agreement (BAA) between the two parties. According to HIPAA, a BAA needs to require the business associate to implement safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of PHI, and to ensure that any subcontractor engaged by the business associate in this process agrees to implement similar safeguards.
Some of the largest reported HIPAA breaches to date have involved business associates, so it should come as no surprise that a number of changes in the recent modification clarify and increase the accountability of business associates. Specific elements of the modification that are pertinent to cloud computing include:
* Business associates are now separately and directly liable for compliance with, and violations of, HIPAA privacy, security and breach notification rules.
* Business associates must review and modify security measures on an ongoing basis to ensure the continued provision of reasonable and appropriate protection of PHI.
* If a business associate engages a subcontractor to perform a function or service that involves use or disclosure of PHI, then the business associate is obligated to enter into a BAA with the subcontractor.
* If a breach of PHI occurs at the subcontractor tier, then the subcontractor must notify the business associate, which then must notify the covered entity. The covered entity must then notify the affected individuals, unless it has delegated such responsibilities to a business associate.
The maximum penalty for HIPAA noncompliance is $1.5 million per violation, so clients and cloud vendors have good reason to understand these latest modifications.
Interested in learning more about cloud-computing risk mitigation via contract negotiation and vendor management? Then please register for my seminar Contracting for Cloud Computing Services, March 25-26, 2013, in Los Angeles. I look forward to seeing you there.
Thomas Trappler is director of software licensing at the University of California, Los Angeles, and a nationally recognized expert, consultant and published author in cloud computing risk mitigation via contract negotiation and vendor management. For more information, please visit thomastrappler.com.