The law and policy of internet and digital technology use

HIPAA and the Cloud—Considerations for Cloud Service Providers Serving Covered Entities and Business Associates

This is the flip side of last week’s post. Here’s a quick summary of some key compliance points for Cloud Service Providers (CSPs) who serve medical practitioners and their business associates.

(1) Information de-identified per HIPAA’s Privacy Rule is not ePHI. If that’s all a CSP is hosting, HIPAA will not regulate the hosting.

(2) CSPs can host a practitioner’s store of personal health information (ePHI) or any part of it.

(3) If they do, CSPs must execute a Business Associate Agreement (BAA) with the practitioner. This is true even if CSPs host only encrypted information for which they lack the key.

(4) Breach Liability. CSPs hosting a practitioner’s ePHI may be liable to the practitioner. They may also be subject to direct enforcement action by the government.

(5) Terms of Service or Service Level Agreements offered to practitioners must not violate HIPAA. This can occur, for example, if the agreements improperly block or terminate a practitioner’s or patient’s access to ePHI for nonpayment.

(6) Subject to some limitations applicable to situations where a breach is pretty clearly the fault of the practitioner, a CSP is independently responsible for maintaining appropriate administrative, technical, and physical safeguards to protect the confidentiality, availability, and integrity of the practitioner’s ePHI.

(7) CSPs must facilitate patients’ rights to access, amend, and receive accountings for disclosures of their ePHI.

(8) CSPs must effectively destroy ePHI when their relationships with practitioners end.

(8) CSPs must consider carefully whether they can safely store ePHI outside the United States. Relevant considerations include the legal climate in the foreign jurisdiction and the hacking environment there.

(9) Depending on the scale of a practitioner’s operation and a CSP’s, a practitioners may insist on audit rights as a result of its risk analysis.

Key Source: HHS Guidance on HIPAA and Cloud Computing

HIPAA and the Cloud—Considerations for Covered Entities and Business Associates Using Cloud Providers

Here’s a quick summary of key compliance points arising from the use of “Cloud Service Providers” (CSPs) by medical providers. (1) Providers can use a CSP. (2) The CSP is a “Business Associate” subject to HIPAA. This is true even if it holds only encrypted electronic personal health information (ePHI). (3) This means providers can only use… Continue Reading

US Issues “Significant Guidance” on Privacy Rights of Transgender Students

A couple of months ago, the civil rights units of the United States Departments of Justice and Education issued a “significant guidance” letter to schools concerning the requirements of Title IX and FERPA that apply to transgender students. The anti-discrimination aspects of this guidance got fair play in the press, but the privacy notes were overlooked.… Continue Reading

Clinical Research Apps, Reidentification, and Informed Consent

I saw a thought-provoking article in Gizmodo the other day about a clinical research app Glaxo Smith Kline (GSK) has developed using Apple’s open-source ResearchKit framework. The article featured this rather alarming headline: Apple’s Health Experiment is Riddled with Privacy Problems. GSK’s Patient Rheumatoid Arthritis Data from the Real World (PARADE) study will use the app to track… Continue Reading

North Carolina Criminalizes Nonconsensual Geotracking

The North Carolina General Assembly recently amended NC’s cyberstalking law to prohibit nonconsensual geotracking. The Governor hasn’t signed it yet, but he almost certainly will. Sponsored by Senators Fletcher Hartsell and Josh Stein, the amendment makes it a misdemeanor to knowingly geotrack another or cause her to be geotracked, absent her consent. There are 11… Continue Reading

NAIC Adopts Cybersecurity Principles

The National Association of Insurance Commissioners (NAIC) Cybersecurity Task Force just adopted regulatory guidance on cybersecurity. This guidance for regulators comes in the form of 12 “Principles for Effective Cybersecurity” designed to promote uniformity in an industry regulated by the states. Most of the principles are standard issue stuff: regulators must ensure protection for PII collected, stored, or… Continue Reading

Markey Report Highlights Security Issues with Car Electronics

United States Senator Edward J. Markey of Massachusetts recently issued a report on the security of car electronics. How secure are they? Not very. Today’s cars contain more than 50 networked electronic control units that may collect data, some of which are collecting data we might not want collected and some or all of which are typically vulnerable to… Continue Reading

White House Issues Interim Progress Report on Big Data

Earlier this month, the White House released its Interim Progress Report on implementation of the recommendations made by its big data and privacy working group. Highlights: (1) Draft legislation implementing a revised Consumer Privacy Bill of Rights (first published for comment in 2012) will be released by the end of the month. (2) The administration… Continue Reading

FINRA’s Report on Cybersecurity Practices

FINRA just published a report on the cybersecurity practices of member firms based on the targeted examinations it recently conducted on this very topic. While the report  claims that it creates no new legal or regulatory requirements, it doesn’t read that way, and broker-dealers would be foolish to overlook it. (NB: Cybersecurity goes beyond protecting customer information from disclosure to hackers.… Continue Reading

The FTC’s Internet of Things Report

According to the Federal Trade Commission, the Internet of Things (IoT) “refers to the ability of everyday objects to connect to the Internet and to send and receive data.” Consumer-focused IoT devices include wearable electronics like watches and fitness bands, as well as the controls and appliances commonly found in “smart” homes and so-called “connected… Continue Reading