Business associate agreements remain ambiguous amidst cloud-computing advances


While clouds often symbolize a lazy sense of freedom or wistful disconnect, healthcare’s adoption of cumuli demands certain boundaries be established to keep the latest advances in information storage/sharing from raining down on the industry’s developing techno-ecosystem.

As Adam Greene — partner at the Law Offices of Davis Wright Tremaine and chairman for the HIMSS Cloud Security Workgroup — noted during his introduction at the Privacy & Security Forum in Boston last week, a purportedly successful outlet like cloud computing, rather liberated and undefined in these early stages, poses a lot of questions for providers and servicers alike regarding its receptiveness to hard HIPAA legalities.

“I don’t think we need to spend 20 minutes talking about the wonders of cloud computing services and the potential benefits there,” Greene began. “I thought this quote [from “The Economics of Cloud Computing” Booz Allen Hamilton Dec. 2010] did a pretty good job of encapsulating that: ‘Our analysis implies that over a thirteen year life cycle, the cost of implementing and sustaining a cloud environment may be as much as two-thirds lower than maintaining a traditional, non-virtualized IT data center.’”

But when looking at the plus side, it’s imperative to consider the additives or costs that got you there — in this case, the security and business deductions or additions inevitably tossed out or piled on.

“There is general consensus that, when properly deployed, cloud computing services potentially lower costs,” Greene said. “But at what cost? [In] healthcare, there has been a large resistance to moving to the cloud, because of, I think, primarily security concerns, including compliance with security requirements.”

A realm Greene specifically focused upon was that of the business associate agreement. At this point, during the arguable inception of the cloud, loose legal definitions riddle such a landscape and a sense of ambiguity reigns.

“Is a cloud computing provider a business associate?” Green queried. That depends on the individuals one speaks to, he said.

“In shorthand, a business associate is a person who, on behalf of a covered entity, performs a function or activity involving the use or disclosure of individually identifiable health information. We’ve seen in healthcare, cloud providers take different approaches here. Some have recognized that they’re a business associate, others point to potential ambiguity issues, like if there is a conduit exception to the definition of a business associate. For example, when you hand something over to FedEx, they’re a conduit — they’re not your business associate, they’re not acting on your behalf. That’s what [HIPAA] guidance talks about.”

For certain cloud services, the business associate declaration is mandated.

“For email providers, for online calendar providers, for those types of softwares and service providers, there needs to be a business associate agreement in place,” Greene explained. “OCR has [taken] a shot across the bow, an expensive one for one  particular physician practice, stating that at least in the area, yes, you are a business associate.“

“But they haven’t made it as clear for other types of cloud providers,” he added. “Infrastructure-as-service providers or platform-as-service providers. You do have some ambiguity in this area.”

Servicers who do not enter into business associate agreements with their covered entities (such as physician practices/organizations and hospital groups), often refer to a previous OCR ruling on storage practices as fodder for their actions.

“There is actually a letter dating back to 2003 where OCR sent out a letter to a public storage company in response to their question that said a public storage company that just receives protected health information in sealed boxes and doesn’t have any use or disclosure of that information unless a box breaks and they have to fix it,  is not a business associate.”

“Some people have said maybe that means if you’re just providing the electronic equivalent of storage and you’re not doing anything with it, then you’re not a business associate,” Greene continued. “Others have said  no, it’s another creature entirely and more still have said, well maybe if it’s encrypted“ the cloud provider's role can remain not one of business associate.”

Regardless, for the covered entity in particular, knowing where your cloud provider stands regarding business associate agreements is important to grasp going forward and necessary to the integrity of that union.

Even though “there’s nothing out there that says all cloud providers are business associates,” Green said, “we may see something like that in a final rule.” And if that rule comes down or not, it’s always comforting to know where you stand when your head is in the clouds.