1. #rightscale
HIPAA in Public Cloud
The Rules Have Been Set
Watch the video of this presentation

2. #rightscale
#2
Your Panel Today
Presenting
• Phil Cox, Director of Security and Compliance, RightScale
Q&A
• Ryan Geyer, Cloud Solutions Engineer, RightScale
• Michael Curry, Account Manager, RightScale
Please use the “Questions” window
to ask questions any time!

3. #rightscale
#3
Introduction
• On January 25, 2013, HHS released the Omnibus Rule which
finalized all the former HIPAA/HITECH interim rules
• Most of this session will be about HIPAA/HITECH and not
necessarily cloud (if you don‟t understand the former, you‟ll have
no clue how to applies it to the latter)

4. #rightscale
#4
#rightscalecompute
My Core Message for Today:
HIPAA compliance in
public cloud is about
governance

5. #rightscale
#5
Can Using RightScale Help?
• RightScale‟s management features can be helpful as companies
work to comply with HIPAA:
• Monitoring
• Access control
• Audit trails
• ServerTemplate
• Advanced monitoring and auditing capabilities are best practices
that will help you comply with HIPAA regulations
• Gives visibility into system access and configurations when
performing a risk assessment after an allegation of a breach

6. #rightscale
#6
Healthcare in the Cloud with RightScale
• Developed self-service lab
environments
• Reduced provisioning time from
25 days to 30 minutes
• Measures costs in cents per hour
for compute and storage
• Integrated public and private
clouds
• Satisfied regulatory and audit
requirements
• Automated provisioning for
Windows environments

7. #rightscale
#7
Agenda
• Quick HIPAA level set
• Key Rules
• Wrap-up

8. #rightscale
#8
Important Terms
• Covered Entity:
• A health plan, A health care clearinghouse, A health care provider who
transmits any health information in electronic form in connection with a
transaction
• Business Associate: Operates on behalf of a CE
• Think: function or activity involving the use or disclosure of individually
identifiable health information: claims processing or administration, data
analysis, processing or administration, utilization review, quality
assurance, billing, benefit management, etc.
• Protected Healthcare Information
• Think Individually identifiable health information:
• Any demographic information related to the condition, provision or
payment of health care to an individual
• Identifies the individual

9. #rightscale
#9
More Term Definition
• HHS – US Department of Health and Human Services. Basically
the ones that make the rules 
• Secretary – Runs HHS
• NIST – National Institute of Standards and Technology (US). The
US federal technology agency that, for our purposes, works with
industry to develop technology standards and guidance.
• US Federal government defers to NIST tech publications and standards
for just about everything.

10. #rightscale
#10
About HIPAA
• HIPAA is the Health Insurance Portability and Accountability Act
of 1996
• Title II: Preventing Health Care Fraud and Abuse; Administrative
Simplification; Medical Liability Reform
• Defines policies, procedures and guidelines for maintaining the privacy
and security of individually identifiable health
• 3 Main “Rules” from the Administrative Simplification Rules
• Privacy Rule
• Security Rule
• Breach Notification Rule
• More about these later …

11. #rightscale
#11
About HITECH
• HITECH Act, part of the American Recovery and Reinvestment
Act of 2009
• Made law February 17, 2009 (13 years after HIPAA)
• Is the “enforcement” rule that gave HIPAA teeth

12. #rightscale
#12
Back to HIPAA: The “3 Main Rules”
• They apply to covered entities and business associates
• Privacy: Impose controls around preventing unauthorized
disclosure of protected healthcare information in any form
• Security: Purpose is to prevent unauthorized electronic access
to protected healthcare information
• Breach Notification: Purpose is to ensure timely notification of
affected parties in event of a failure in the above 2 controls

13. #rightscale
#13
Privacy Rule Primer
• Requires appropriate safeguards to protect the privacy of
personal health information
• Sets limits and conditions on the uses and disclosures that
may be made of such information without patient authorization
• All about authorized disclosure

14. #rightscale
#14
Security Rule Primer
• Maintain reasonable and appropriate administrative, technical,
and physical safeguards for protecting e-PHI
• Specifically:
• Ensure the confidentiality, integrity, and availability of all e-PHI they
create, receive, maintain or transmit;
• Identify and protect against reasonably anticipated threats to the security
or integrity of the information;
• Protect against reasonably anticipated, impermissible uses or disclosures;
and
• Ensure compliance by their workforce
• Required and Addressable Implementation Specifications
• “Required" implementation specifications must be implemented
• “Addressable" permits entities to adopt an alternative measure that
achieves the purpose of the standard

15. #rightscale
#15
Breach Notification Primer
• Notification required if breach involved unsecured protected
health information
• Unsecured is PHI that has not been rendered unusable, unreadable, or
indecipherable to unauthorized individuals
• Covered entities must notify
• Affected individuals
• Prominent media outlets serving the State or jurisdiction if >500 residents
• Notify HHS within 60 days (if <500 can do annually)
• Business Associate must notify the covered entity (w/in 60 days)
• Burden of proof
• All required notifications have been provided –OR–
• Disclosure did not constitute a breach

16. #rightscale
#16
Key Issues When Dealing with “Cloud”
• Per the recent NIST conference:
• Location
• Where is PHI? – geo location
• Providers need to give assurance and warrants
• Breach
• What does the provider do to prevent breaches of PHI?
• If there is a breach, what is the response capability?
• Access
• Proper controls to limit access
• Monitoring – Can provider give the following
• Not only modifications, but read/print too?
• Any access?

17. #rightscale
#17
Agenda
• Quick HIPAA level set
• Key Rules
• Wrap-up

18. #rightscale
#18
Changes Affecting HIPAA & Public Cloud
• Business Associates
• Breach notification
• State law preemption
• Use of PHI in Marketing
• Application of HIPAA to hybrid entities

19. #rightscale
#19
Business Associate
• By law, the HIPAA Privacy Rule applied only to covered entities
• The Privacy Rule allows covered providers and health plans to
disclose protected health information to these “business
associates” if the providers or plans obtain satisfactory
assurances that the business associate will use the information
only for the purposes for which it was engaged by the covered
entity, will safeguard the information from misuse, and will help
the covered entity comply with some of the covered entity‟s
duties under the Privacy Rule.

20. #rightscale
#20
Who Is a Business Associate?
• Those who will create, receive, maintain, or transmit protected
health information for a covered entity
• Generally a person who performs functions or activities on behalf of, or
certain services for, a covered entity that involve the use or disclosure of
protected health information.
• New: Specific call out for
• Patient Safety Organizations
• Health Information Organizations (HIO), E-Prescribing Gateways, and
Other Persons That Facilitate Data Transmission; as Well as Vendors of
Personal Health Records
• Subcontractors {recursive}

21. #rightscale
#21
There are Exceptions
• Incidental Access: With persons or organizations (e.g.,
janitorial service or electrician) whose functions or services do
not involve the use or disclosure of protected health information,
and where any access to protected health information by such
persons would be incidental, if at all.
• Conduit: With a person or organization that acts merely as a
conduit for protected health information, for example, the US
Postal Service, certain private couriers, and their electronic
equivalents…

22. #rightscale
#22
Conduit Exception Clarification
• ... We note that the conduit exception is limited to
transmission services (whether digital or hard copy)… In
contrast, an entity that maintains protected health information on
behalf of a covered entity is a business associate and not a
conduit, even if the entity does not actually view the protected
health information…the difference between the two situations is
the transient versus persistent nature of that opportunity.
For example, a data storage company that has access to
protected health information (whether digital or hard copy)
qualifies as a business associate, even if the entity does not
view the information or only does so on a random or infrequent
basis. (emphasis added)

23. #rightscale
#23
Why BA Focus?
• 1/3 of all breaches related to 3rd parties
• 55% of people affected related to 3rd parties
• So a 3rd party disclosure has a larger impact than a non-3rd party

24. #rightscale
#24
HHS Theme with BA
• Persistency of data, not degree of access is the key driver
• Focus on:
• Security rule: Tech, Admin, Physical
• Privacy rule: Use and disclosure
• Direct liability
• Criminal & Civil
• Flows to sub-contractors
• Does encryption remove you from BA?
• At this time, as I understand it, NO.
• More on this in a bit …

25. #rightscale
#25
What HHS Is Pushing
• Trend is more towards risk
• Beef up contracts WRT security
• Represent and warrant that they meet the controls that are specified in the appendix of the
contract/agreement
• Pre-contract assessment (quick hit)
• Post contract audit
• Risk Assessment
• Short form
• What PHI
• Where is it
• Use that to assess risk and identify specific controls for a given BA

26. #rightscale
#26
Direct Liability & Sub-Contractors
• Modified to implement the HITECH Act‟s provisions extending
direct liability for compliance to business associates
• Now directly liable for civil money penalties
• A subcontractor that creates, receives, maintains, or transmits
protected health information on behalf of a business associate,
including with respect to personal health record functions, is a
HIPAA business associate
• BA must have a BAA with subcontractors (just another BA). This is
recursive.

27. #rightscale
#27
BAA: Is It Optional?
• Per Page 5591
• Comment: One commenter suggested that business associate
agreements should be an „„addressable‟‟ requirement under the
Security Rule.
• Response: The HITECH Act does not remove the requirements
for business associate agreements under the HIPAA Rules.
Therefore, we decline to make the execution of business
associate agreements an „„addressable‟‟ requirement under the
Security Rule.
• If you decide to forego the BAA, make an informed decision …

28. #rightscale
#28
Changes to Breach Notification Rule
• Clarified the term “Breach”
• Basically guilty until proven innocent
• Changed “risk of harm” to “low probability PHI compromised”
• Means you have to do a risk assessment. Can you? (next slide)
• Changed „„unauthorized individuals‟‟ to „„unauthorized persons.‟‟
• How does the BNR affect you?
• You need to be watching (if not, maybe “willful neglect”?)
• Review is important
• Need to have a mechanism for notification
• Business Associates need to notify Covered Entities

29. #rightscale
#29
Risk Assessment Considerations
1. Nature and extent of PHI involved
• Types of identifiers and likelihood of re-identification
2. Who accessed/used the information
3. If the PHI was actually acquired/viewed
4. Extent to which the risk to PHI has been mitigated
-OR-
Notify!

30. #rightscale
#30
What about Encryption?
• If Protected health information (PHI) is rendered unusable,
unreadable, or indecipherable to unauthorized individuals – then
no Breach Notification
• Encryption must be consistent with NIST guidelines:
• NIST Special Publication 800-111 (storage)
• NIST Special Publications 800-52, 800-77 (transit)
• NIST Special Publication 800-88 (destruction)
• Federal Information Processing Standards (FIPS) 140-2 (validated crypto)
• It does not remove you from being a BA, but does limit Breach
notification
• NIST conference seemed to indicate HHS is looking at this.

31. #rightscale
#31
Preemption of State Law
• HIPAA privacy requirements supersede only contrary provisions
of State law UNLESS State law provides more stringent privacy
protections than the HIPAA Privacy Rule

32. #rightscale
#32
Marketing & Other Use of PHI
• Marketing communications that involve financial remuneration
• In reality anything other than billing that involves financial remuneration
• Covered entity must obtain a valid authorization from the
individual before using or disclosing
• Authorization must disclose the fact that the covered entity is
receiving financial remuneration from a third party

33. #rightscale
#33
Hybrid Entities
• Covered entity itself, and not merely the health care
component (HCC)
• If you share PHI with the non HCC part of your org, could be
considered a breach
• Responsible for business associate arrangements and
other organizational requirements
• Hybrid entities may need to execute legal contracts and
conduct other organizational matters at the level of the
legal entity rather than at the level of the health care
component

34. #rightscale
#34
Consequences
• Fines
• Caps on types, not totals
Violation Category Each Violation Annual cap on
identical violations
Did not know $100-$50,000 $1.5m
Reasonable Cause $1,000-$50,000 $1.5m
Willful Neglect - Corrected $10,000-$50,000 $1.5m
Willful Neglect – Not Corrected $50,000 $1.5m

35. #rightscale
#35
Real World Example
• Idaho State University (ISU): 17,500 patients at ISU's Pocatello
Family Medicine Clinic.
• The breach was blamed on the disabling of firewall protections, and failure
of ISU to notice the change or the lack of protection.
• Consequences
• $400,000 fine (>$20/account) + internal costs ($200K)
• 2 year Corrective Action Plan, defining enhanced security procedures and
increased reporting to HHS – Likely 1 FTE ($400K over 2 years)
• Proactive:
• A firewall management tool- $40K procurement, $15K second year
maintenance costs and .1 FTE.
• Punch Line: If they had spent $75K could have saved $1M

36. #rightscale
#36
Timeframes
• Passed January 25th, 2013
• In effect March 26, 2013
• Compliance date is September 23, 2013
• 180 days: “In addition, to make clear to the industry our expectation that
going forward we will provide a 180-day compliance date for future
modifications to the HIPAA Rules …”

37. #rightscale
#37
Conclusion
• Rules are set, you should read the Omnibus Rule
• Managing your Business Associates are critical
• If you are a Business Associate, you now have direct liability
• You are responsible for your subcontractors and they for their
subcontractors
• Good security, as always, will cover most of what you need.

38. #rightscale
#38
Can Using RightScale Help?
• RightScale‟s management features can be helpful as companies
work to comply with HIPAA:
• Monitoring
• Access control
• Audit trails
• ServerTemplate
• Advanced monitoring and auditing capabilities are best practices
that will help you comply with HIPAA regulations
• Gives visibility into system access and configurations when
performing a risk assessment after an allegation of a breach

39. #rightscale
#39
Status on Our Cloud Providers and BAA
• The good news is that several of our cloud providers will sign a
BAA.
• Azure: Will sign a BAA
• Datapipe: On a case-by-case basis
• AWS: No public statement
• We have heard from at least one customer that they were able to get AWS
to sign a BAA
• GCE: Not at this time
• Rackspace: Not at this time
• Softlayer: Not at this time

40. #rightscale
#40
RightScale and BAA
• We do not “create, receive, maintain, or transmit” PHI
• We do not have access to PHI
• If we are invited to an account, we may have “incidental” access
• RightLink runs on the instance, it does not interact with the
electronic personal health information (ePHI) as part of its
normal operations
• You are not required to sign a BAA with your AV vendor
• Our understanding is that RightScale is not a Business
Associate

41. #rightscale
#41
Questions?

42. #rightscale
#42
My Contact Info
• Email: phil@rightscale.com
• Twitter: sec_prof
• Google+: phil@rightscale.com