Application used in health industry: HIPAA HITECH hosting "requirements"

Question

We have a scenario at my employer where we host an application that is used for uploading, storing, & managing documents related to patients' bills from healthcare providers. It is our knowledge so far that these documents contain PHI, and there are many policies developed in our Security Program to mitigate the risks of our current hosting solution.

From a pure application architecture standpoint the application is quickly expanding its used disk space, and we are trying to decide if we can leverage Cloud storage in any way. Obviously, introducing another hosting provider must be accompanied with our verification of risk mitigation on their behalf, such as in the form of a Business Associates Agreement (BAA)...

at least that is the traditional way that the "chain of custody" is maintained from any number of hosting providers.

First I'll ask: am I off base with that statement ^^?

Then I'll ask the question: is a BAA required (by law?) to host PHI such that a chain of custody exists? If not, is a BAA still applicable or even plausible for anyone looking to use Cloud provider services?

Thank you for help! Cheers! SAM

Answer 1

You are not off base on your assessment. Putting PHI in the cloud means that that provider is now responsible for compliance. They now play an important part in the chain of custody of the PHI.

BAAs are required in as much as if you use a cloud provider and don't have an air-tight BAA, you're on the hook for the risk. Think of the chain this way:

Hospital (Covered Entity) <-> You serving the hospital (BA) <-> AWS

You likely have a BAA with the hospital where you took on all the technical risk of handling the hospital's PHI. But AWS is a critical part in the chain that is handling the PHI. If you don't have a BAA with AWS, you are not handing off the compliance risk to the party who is actually responsible. For example, if for some ungodly reason a major data center was broken into and hard drives are stolen, YOU are on the hook if you don't have a BAA.

However, note that all public clouds only cover a very small fraction of compliance in totality. The translation is "chain of custody" to "Shared Responsibility Model". Here is AWS's: https://aws.amazon.com/compliance/shared-responsibility-model/

So, for example with AWS, they only cover about 1/10th (physical safegaurds, firewall). Their BAA doesn't take on other controls like encryption or logging or disaster recovery.

If you want use the cloud, you should investigate a company like Datica, which I work for. Companies like that who sit on top of public clouds will maintain and take on the risk of the other 9/10ths so to speak. This resource you might find valuable to explain the concept.