Cloud services providers subject to HIPAA when handling ePHI

Entities subject to Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) compliance may use cloud services to store and process electronic protected health information (ePHI). According to HHS’ health information privacy guidance, to do so, the covered entity or the entity’s business associate must enter into a HIPAA-compliant business associate agreement (BAA) or contract with the entity’s chosen cloud services provider (CSP).

CSP requirements

CSPs are legally separate entities from the covered entity, and offer online access to shared computing resources. Functions include data storage to software solutions, such as electronic medical record systems. When a HIPAA-covered entity retains a CSP’s services to handle ePHI, that CSP becomes a business associate under HIPAA, even if the CSP is a subcontractor under another business associate. Even if the ePHI processed or stored by the CSP is encrypted and the CSP does not have an encryption key, the CSP is subject to HIPAA rules.

Business associate agreement

A BAA establishes the permitted and required uses and disclosures of ePHI for the CSP, and is a requirement under HIPAA. A covered entity must have clear understanding of the services provided by the CSP to ensure that a risk analysis can be conducted and the appropriate provisions are included in the BAA. More specific business expectations may be included in a service level agreement (SLA), and the SLA’s provisions should be consistent with HIPAA and the BAA.

The BAA can also establish the way the CSP is to report security incidents to the covered entity. The Security Rule (45 C.F.R. Part 160, 164) requires that business associates identify and respond to security incidents, mitigate the effects, document incidents, and report the incidents. The BAA must require such reporting, but the rule is flexible and allows the parties to determine the frequency, level of detail, and format of reports.

Webinar helps covered entities with third-party risk management

Third-party risk management requires a comprehensive vendor risk management program capable of verifying that vendor security controls are effective, according to a Health Care Compliance Association (HCCA) webinar presented by Nadia Fahim-Koster, of Meditology Services, and Alex Masten, of CORL Technologies. Masten noted that risk management is ultimately about “assurance” and, therefore, the development of a risk management program requires data and monitoring designed to assure covered entities (CEs) under the Health Insurance Portability and Accountability Act (HIPAA) (P.L 104-191) that vendors are adequately safeguarding protected health information (PHI).


Fahim-Koster detailed the scope of third-party breach risks, including: HIPAA violations, negative media coverage, undermined patient trust, undermined employee trust, HHS Office for Civil Rights (OCR) penalties, lawsuits, breach notification costs, and the uncertainty of business associate reimbursement. Additionally, all of the risks are developing as technology changes. For example, Fahim-Koster reminded providers that third party breach risks have increased in complexity with the expansion of disruptive technologies like the Internet of Things (IoT) and migration to the cloud.


Masten noted that part of the problem with third-party risk management stems from the fact that the majority of vendors with access to PHI are small. Masten explained that this fact is unfortunate because small vendors are vastly more likely, when compared to a larger vendor, to be involved in a breach. Additionally, small vendors are more likely to enter subcontracts, leaving CEs confused or ignorant of the subcontractor’s breach protection measures. Masten also noted that only 26 percent of vendors have a security certification and many vendors don’t have designated security personnel. In fact, only 39 percent of vendors have at least one designated security personnel. Above all, Masten cautioned that breaches can happen at any time to any kind or size of vendor.

Vendor security program

To implement a vendor security program, Masten said CEs should take the following four steps: (1) profile vendors and rank them by risk; (2) conduct due diligence through risk assessments; (3) apply a risk strategy based upon the results of gaps identified by the risk assessment; and (4) monitor vendors for breaches, third party assurances, and implementation of the risk strategy. Due to the complexity of monitoring what can be as much as thousands of vendor contracts, Masten suggested that entities may need multiple full-time employees dedicated to the data collection and monitoring of third parties. He also suggested that providers increase efficiency by developing a comprehensive vendor questionnaire to assess the risks associated with each vendor.

Medicaid spending growth up as enrollment surge slows

National growth in Medicaid enrollment and total Medicaid spending slowed substantially in fiscal year (FY) 2016 and are projected to continue to slow, despite record increases in FY 2015. The decline occurs as the initial enrollment surge under the Patient Protection and Affordable Care Act (ACA) (P.L. 111-148) coverage expansions tapers off and prices for high-cost and specialty drugs rise, according to the Kaiser Family Foundation’s annual 50-state Medicaid Budget Survey.

Medicaid spending on the rise

The survey projects an increase in state Medicaid spending growth in FY 2017 related to the requirement that Medicaid expansion states begin paying a five percent share of expansion costs on January 1, 2017. Before this date, the federal government committed to paying 100 percent of expansion costs. In expansion states, the median growth in Medicaid spending is estimated to be 5.9 percent in FY 2017, up from 1.9 percent in FY 2016. In non-expansion states, state Medicaid spending is projected to increase by 4 percent in FY 2017, compared to 3.9 percent in FY 2016. Thus, the differential in rates across expansion and non-expansion states is narrowing continually. As growth in overall state revenues slows or declines, pressure to control Medicaid spending increases.

Continued delivery system reforms 

The survey also found that the majority of states are refining their pharmacy programs to control costs and are adopting or expanding strategies to deal with the opioid crisis. States are increasing reliance on managed care, with at least 75 percent of Medicaid beneficiaries enrolled in risk-based managed care organizations (MCOs) in the majority of states that contract with MCOs. Additionally, 29 states are adopting or expanding delivery system reforms, such as patient-centered medical homes and accountable care organizations (ACOs). Nearly every state reported actions to expand the number of people served in community settings.

AHA’s motion calls for end of appeals backlog litigation

The American Hospital Association filed on October 14, 2016, a motion for summary judgment formally requesting mandamus relief instructing the Secretary of HHS to comply with mandatory statutory deadlines and clear the backlog of pending Medicare claims appeals. In the motion, the AHA agrees that the backlog cannot be cured overnight, but that “the Secretary has treated difficulty as an excuse for inaction.”

Motion for summary judgment

The AHA requests that that court order the Secretary to implement three sets of solutions for the backlog: (1) offer reasonable settlements to broad groups of Medicare providers and suppliers; (2) delay repayment of at least some subset of disputed Medicare claims and toll the accrual of interest on those claims for waiting times beyond the statutory maximums; and (3) impose financial penalties on recovery audit contractors (RACs) for poor outcomes at the administrative law judge (ALJ) level. The AHA claims that the Secretary has the authority to implement each reform to target the existing backlog of appeals and reduce the number of future appeals. The motion also gives the option for the Secretary to offer and implement proposals of her own that would have at least a significant effect on reducing the backlog and minimizing its impact in the interim.

Procedural history

The AHA, Baxter Regional Medical Center, Covenant Health, and Rutland Regional Medical Center (Medicare providers) asked the court to issue a writ of mandamus to compel HHS to process their long-pending Medicare claim-reimbursement appeals in accordance with statutory timelines. In December 2014, the D.C. district court declined to intervene to resolve the backlog of Medicare reimbursement appeals, stating that “the waiting game must go on.” Although the court agreed that HHS had violated its statutory obligations and reasoned that Recovery Audit Contractors (RAC) audits may have been worsening the problem, the court determined that it was not in a position to address the massive and growing administrative backlog because the problem required cooperation between Congress and HHS.

In February 2016, however, the D.C Court of Appeals revived the case and sent it back to the district court because the backlog of delays had gotten worse. At that time, the Court of Appeals instructed the district court that “in all likelihood,” it should order HHS to comply with the appeals deadlines if HHS or Congress failed to make meaningful progress toward solving the problem within a reasonable period of time. The court pointed to the close of the next appropriations cycle (September 30, 2016) as the deadline for resolution. In response, the Secretary asked the district court to stay the proceedings until September 30, 2017, to allow HHS to move forward on various efforts designed to tackle the backlog of reimbursement appeals. The D.C. district court denied HHS’ request to delay further proceedings in the case, holding that the Secretary’s proposals to reduce the claims review backlog and comply with statutory review deadlines would not result in meaningful progress.