Speaker: Phil Cox - Director of Security and Compliance, RightScale On January 25, 2013, the U.S. Department of Health and Human Services (HHS) released the final implementing regulations for many provisions of the HITECH Act (Health Insurance Technology for Economic and Clinical Health Act), often referred to as the Omnibus Rule. Many organizations have based their architectures and implementations on previous proposed and interim regulations, some of which are no longer valid. Anyone falling under HIPAA requirements is required to meet these new definitive compliance requirements by September 23, 2013. This talk will discuss the parts of the Omnibus rule that affect the cloud landscape, and how you can successfully deploy a HIPAA-compliant application in the public cloud.

1. april25-26
sanfrancisco
cloud success starts here
HIPAA in Public Cloud
The Rules Have Been Set

2. #2#2
#rightscalecompute
#2
Introduction
• On January 25, 2013, HHS released the Omnibus Rule which
finalized all the former HIPAA/HITECH interim rules
• Most of this session will be about HIPAA/HITEC and not
necessarily cloud (if you don‟t understand the former, you‟ll
have no clue how to applies it to the latter)

3. #3
#rightscalecompute
My Core Message for Today:
HIPPA compliance in
public cloud is about
governance

4. #4#4
#rightscalecompute
#4
Agenda
• Quick HIPPA level set
• Main changes
• Wrap-up

5. #5#5
#rightscalecompute
#5
About HIPAA
• HIPAA is the Health Insurance Portability and Accountability Act
of 1996
• Title II: Preventing Health Care Fraud and Abuse; Administrative
Simplification; Medical Liability Reform
• Defines policies, procedures and guidelines for maintaining the privacy
and security of individually identifiable health
• 3 Main “Rules” from the Administrative Simplification Rules
• Privacy Rule
• Security Rule
• Breach Notification Rule

6. #6#6
#rightscalecompute
#6
The “3 Main Rules”
• They apply to covered entities and business associates
• Privacy: Impose controls around preventing unauthorized
disclosure of protected healthcare information in any form
• Security: Purpose is to prevent unauthorized electronic access
to protected healthcare information
• Breach Notification: Purpose is to ensure timely notification of
affected parties in event of a failure in the above 2 controls

7. #7#7
#rightscalecompute
#7
About HITECH
• HITECH Act, part of the American Recovery and Reinvestment
Act of 2009
• Made law February 17, 2009 (13 years after HIPAA)
• Is the “enforcement” rule that give HIPAA teeth

8. #8#8
#rightscalecompute
#8
Important Terms
• Covered Entity:
• A health plan, A health care clearinghouse, A health care provider who
transmits any health information in electronic form in connection with a
transaction
• Business Associate: Operates on behalf of a CE
• Think: function or activity involving the use or disclosure of individually
identifiable health information: claims processing or administration, data
analysis, processing or administration, utilization review, quality
assurance, billing, benefit management, etc.
• Protected Healthcare Information
• Think Individually identifiable health information:
• Any demographic information related to the condition, provision or
payment of health care to an individual
• Identifies the individual

9. #9#9
#rightscalecompute
#9
Privacy Rule Primer
• Requires appropriate safeguards to protect the privacy of
personal health information
• Sets limits and conditions on the uses and disclosures that
may be made of such information without patient authorization
• All about authorized disclosure

10. #10#10
#rightscalecompute
#10
Security Rule Primer
• Maintain reasonable and appropriate administrative, technical,
and physical safeguards for protecting e-PHI
• Specifically:
• Ensure the confidentiality, integrity, and availability of all e-PHI they create,
receive, maintain or transmit;
• Identify and protect against reasonably anticipated threats to the security
or integrity of the information;
• Protect against reasonably anticipated, impermissible uses or disclosures;
and
• Ensure compliance by their workforce
• Required and Addressable Implementation Specifications
• “Required" implementation specifications must be implemented
• “Addressable" permits entities to adopt an alternative measure that
achieves the purpose of the standard

11. #11#11
#rightscalecompute
#11
Breach Notification Primer
• Notification required if breach involved unsecured protected
health information
• Unsecured is PHI that has not been rendered unusable, unreadable, or
indecipherable to unauthorized individuals
• Covered entities must notify
• Affected individuals
• Prominent media outlets serving the State or jurisdiction if >500 residents
• Notify HSS within 60 days (if <500 can do annually)
• Business Associate must notify the covered entity (w/in 60
days)
• Burden of proof
• All required notifications have been provided –OR–
• Disclosure did not constitute a breach

12. #12
#rightscalecompute
Subliminal Messaging: 
HIPPA compliance in
public cloud is about
governance

13. #13#13
#rightscalecompute
#13
Main Changes
• Business Associates
• State law preemption
• Use of PHI in Marketing
• Application of HIPAA to hybrid entities
• Breach notification

14. #14#14
#rightscalecompute
#14
Business Associate
• By law, the HIPAA Privacy Rule applied only to covered entities
• The Privacy Rule allows covered providers and health plans to
disclose protected health information to these “business
associates” if the providers or plans obtain satisfactory
assurances that the business associate will use the
information only for the purposes for which it was engaged by
the covered entity, will safeguard the information from misuse,
and will help the covered entity comply with some of the
covered entity‟s duties under the Privacy Rule.

15. #15#15
#rightscalecompute
#15
Who is a Business Associate?
• Those who will create, receive, maintain, or transmit protected
health information for a covered entity
• Generally a person who performs functions or activities on behalf of, or
certain services for, a covered entity that involve the use or disclosure of
protected health information.
• New: Specific call out for
• Patient Safety Organizations
• Health Information Organizations (HIO), E-Prescribing Gateways, and
Other Persons That Facilitate Data Transmission; as Well as Vendors of
Personal Health Records
• Subcontractors {recursive}

16. #16#16
#rightscalecompute
#16
Conduit and Incidental exceptions
• With persons or organizations (e.g., janitorial service or
electrician) whose functions or services do not involve the use
or disclosure of protected health information, and where any
access to protected health information by such persons would
be incidental, if at all.
• With a person or organization that acts merely as a conduit for
protected health information, for example, the US Postal
Service, certain private couriers, and their electronic
equivalents.

17. #17#17
#rightscalecompute
#17
Conduit exception clarification
• ... We note that the conduit exception is limited to
transmission services (whether digital or hard copy)… In
contrast, an entity that maintains protected health information
on behalf of a covered entity is a business associate and not
a conduit, even if the entity does not actually view the
protected health information…the difference between the two
situations is the transient versus persistent nature of that
opportunity. For example, a data storage company that has
access to protected health information (whether digital or hard
copy) qualifies as a business associate, even if the entity does
not view the information or only does so on a random or
infrequent basis. (emphasis added)

18. #18#18
#rightscalecompute
#18
BAA: Is it Optional?
• Per Page 5591
• Comment: One commenter suggested that business associate
agreements should be an „„addressable‟‟ requirement under the
Security Rule.
• Response: The HITECH Act does not remove the requirements
for business associate agreements under the HIPAA Rules.
Therefore, we decline to make the execution of business
associate agreements an „„addressable‟‟ requirement under the
Security Rule.
• If you decide to forego the BAA, make an informed decision …

19. #19#19
#rightscalecompute
#19
Direct Liability & Sub-Contractors
• Modified to implement the HITECH Act‟s provisions extending
direct liability for compliance to business associates
• Now directly liable for civil money penalties
• A subcontractor that creates, receives, maintains, or transmits
protected health information on behalf of a business associate,
including with respect to personal health record functions, is a
HIPAA business associate
• BA must have a BAA with subcontractors (just another BA). This is
recursive.

20. #20#20
#rightscalecompute
#20
Status on our cloud providers and BAA
• The good news is that several of our cloud providers will sign a
BAA.
• Azure: Will sign a BAA
• Datapipe: On a case-by-case basis
• AWS: No public statement
• We have heard from at least one customer that they were able to get AWS
to sign a BAA
• GCE: Not at this time
• Rackspace: Not at this time
• Softlayer: Not at this time

21. #21#21
#rightscalecompute
#21
RightScale and BAA
• We do not have access to ePHI
• If we are invited to an account, we may have “incidental” access
• RightLink runs on the instance, it does not interact with the
electronic personal health information (ePHI) as part of its
normal operations
• You don‟t sign a BAA with your AV vendor
• Our understanding is that RightScale is not a Business
Associate

22. #22#22
#rightscalecompute
#22
Preemption of State Law
• HIPAA privacy requirements are to supersede only contrary
provisions of State law
• State law supersedes where the provision of State law provides
more stringent privacy protections than the HIPAA Privacy Rule

23. #23#23
#rightscalecompute
#23
Marketing use of PHI
• Marketing communications that involve financial remuneration
• Covered entity must obtain a valid authorization from the
individual before using or disclosing
• Authorization must disclose the fact that the covered entity is
receiving financial remuneration from a third party

24. #24#24
#rightscalecompute
#24
Hybrid entities
• Covered entity itself, and not merely the health care
component
• Responsible for business associate arrangements and
other organizational requirements
• Hybrid entities may need to execute legal contracts and
conduct other organizational matters at the level of the
legal entity rather than at the level of the health care
component

25. #25#25
#rightscalecompute
#25
Changes to Breach Notification Rule
• Clarified the term “Breach”
• Basically guilty until proven innocent
• Changed “risk of harm” to “low probability PHI compromised”
• Means you have to do a risk assessment. Can you?
• Changed „„unauthorized individuals‟‟ to „„unauthorized persons.‟‟
• How does the BNR affect you?
• You need to be watching (remember willful neglect?)
• Review is important
• Need to have a mechanism for notification
• Business Associates need to notify Covered Entities

26. #26#26
#rightscalecompute
#26
Consequences
• Fines
• Caps on types, not totals
Violation Category Each Violation Annual cap on
identical violations
Did not know $100-$50,000 $1.5m
Reasonable Cause $1,000-$50,000 $1.5m
Willful Neglect - Corrected $10,000-$50,000 $1.5m
Willful Neglect – Not Corrected $50,000 $1.5m

27. #27#27
#rightscalecompute
#27
Time Frames
• Passed January 25th, 2013
• In effect March 26, 2013
• Compliance date is September 23, 2013
• 180 days: “In addition, to make clear to the industry our expectation that
going forward we will provide a 180-day compliance date for future
modifications to the HIPAA Rules …”

28. #28
#rightscalecompute
Subliminal Messaging: 
HIPPA compliance in
public cloud is about
governance

29. #29#29
#rightscalecompute
#29
Conclusion
• Rules are set, you should read the Omnibus Rule
• Managing your Business Associates are critical
• If you are a Business Associate, you now have direct liability
• You are responsible for your subcontractors and they for their
subcontractors
• Good security, as always, will cover most of what you need.

30. #30#30
#rightscalecompute
#30
Can using RightScale help?
• RightScale‟s management features can be helpful as
companies work to comply with HIPAA
• Features such as:
• Monitoring
• Access control
• Audit trails
• ServerTemplate
• While not “HIPAA compliance features” can be tools that could
help customers implement their HIPAA procedures.

31. april25-26
sanfrancisco
cloud success starts here

32. #32#32
#rightscalecompute
#32
My Contact Info
• Email: phil@rightscale.com
• Twitter: sec_prof
• Google+: phil@rightscale.com