HIPAA Compliance in the Cloud

Cloud requirements for maintaining HIPAA compliance while working with healthcare data online.

Table of Contents

  1. What is HIPAA?
  2. Who does HIPAA apply to?
  3. How does HIPAA compliance work?
  4. Can we get HIPAA certified? Is Aptible HIPAA certified?
  5. What is HITRUST?
  6. How does Enclave® help with HIPAA?
  7. How does Gridiron® help with HIPAA?
  8. Additional Resources

What is HIPAA?

HIPAA” is the Health Insurance Portability and Accountability Act of 1996, a federal law in the United States that requires certain organizations to protect the privacy and security of individually identifiable health data. HIPAA calls this data “protected health information,” or “PHI.”

When people say “HIPAA compliance,” often they are referring to compliance with HIPAA’s regulatory rules, which are are enacted and enforced by the Department of Health and Human Services (“HHS”). Within HHS, the Office for Civil Rights (“OCR”) investigates violations and applies penalties, including civil monetary fines.

The HIPAA regulations continue to evolve over time, with OCR adding new sets of rules to the regulations to implement its underlying statutory authority. The Privacy Rule went into effect in 2003, the Security Rule went into effect in 2005, and the Enforcement Rule was finalized in 2006.

In 2009, as part of the American Recovery and Reinvestment Act stimulus, Congress created a slush fund to incentivize adoption of electronic medical records. While they were at it, the also decided HIPAA needed a big update, and put both the money and the update in an act called the Health Information Technology for Economic and Clinical Health (“HITECH”).

The HITECH update expanded liability to vendors and other “business associates” that handle PHI, added breach notification requirements, increased penalties for non-compliance, and added an audit program. HITECH had so many changes, HHS just called the regulatory update the “Omnibus Rule.” It went final in 2013 and is the most recent major update as of 2017.

Often, if someone refers to just “HIPAA” alone, they mean HIPAA and HITECH as implemented in current regulations.

Who does HIPAA apply to?

HIPAA only regulates certain types of entities:

  1. Covered Entities” are health care providers that take insurance, the health insurance companies themselves, self-insured employers, and insurance claims clearinghouses.

  2. Business Associates” process PHI on behalf of Covered Entities.

How does HIPAA compliance work?

The HIPAA rules are laid out in a document called the “Administrative Simplification.” It’s a simplification of the Code of Federal Regulations, which is unfortunately not the same thing as being simple. What follows is a guide to HIPAA from the perspective of what it means for your operations and management.

Step 1: Determine if your organization is regulated

To determine for sure whether your specific organization is regulated, you should consult an attorney.

If you are a covered entity, you probably know it. If your business is structured as a health care practice and you take any insurance, your whole practice is likely covered.

If you create, receive, transmit, or maintain PHI on behalf of a covered entity, or another business associate, you’re likely a business associate.

HHS has issued guidance for developer teams to clarify how HIPAA works in the cloud and in specific health app scenarios.

Step 2: Document where and why you process PHI

Scoping the boundaries of your HIPAA compliance program lays the foundation for actually doing all of the other work you need to run the program itself. You’ll want to know:

  1. What people and functions within your organization need access to PHI to do their job? (e.g. operations, customer support, etc.)

  2. What assets process PHI, or can be used to access PHI? This includes infrastructure you build, open source projects you run in-house, laptops and phones with work accounts on them, etc.

  3. What vendors process PHI for you? AWS and Aptible are common examples. Common use cases are logging, analytics, error reporting, customer chat/live support, etc.

2.1 What is HIPAA PHI?

“Protected health information” is a mashup of two other types of data. Both need to be present in a data set for it to constitute PHI:

  1. The data must identify individuals, or there is a reasonable basis to believe it can be used to identify the individual (for example, web browsing data is almost certainly identifiable), and

  2. The data “[r]elates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual”

Contextual data: It’s not clear whether individually identifiable data alone in the context of a healthcare organization constitutes PHI, but it seems likely. For example, if you send patients transactional emails, your email provider effectively has access to your patient list, but no specific health information. Is that PHI? Patient directories in hospitals are covered by HIPAA, so it seems likely, but we don’t know for sure.

De-Identification: Aggregate or de-identified data is not considered PHI. HIPAA has specific rules for how to de-identify datasets.

Encryption: Encrypting PHI does not change its status as PHI. If one of your vendors only comes into contact with encrypted PHI, it it still PHI and they still become your business associate.

Step 3: Implement privacy and security management programs to protect PHI

3.1 What does HIPAA require in terms of privacy management?

The Privacy Rule works like a whitelist. In the beginning, it says “[a] covered entity or business associate may not use or disclose protected health information except as permitted or required by [this Privacy Rule or the Enforcement Rule].” The rest of the Privacy Rule establishes what those permitted and required uses and disclosures of PHI are.

Obviously in order for you to be able to meet the Privacy Rule requirements, first you must put a privacy management system (meaning a set of rules) in place to control how PHI is used and disclosed in your organization. To comply with the Privacy Rule, your system should enable you to:

  • Track vendors and other entities that will process PHI on your behalf; track and maintain business associate contracts for customers and vendors

  • Track uses and disclosures of PHI and document why each a use or disclosure is permissible, if needed

  • De-identify and re-identify PHI securely, if needed

  • Ensure routine uses and disclosures are limited to the minimum necessary amount of PHI

  • Train your organization on your privacy rules and practices

  • Enforce those privacy rules and practices

  • Respond to privacy incidents and violations

  • Conduct required notifications under the Breach Notification Rule, if any

  • Regularly update the privacy management system itself

Covered entities have additional obligations under the Privacy Rule. In many cases, business associates may perform some of these functions as well:

  • Specifically appoint someone to administer the program and receive complaints (usually called a “Privacy Officer”)

  • Implement privacy safeguards

  • Provide patients with a notice of privacy practices

  • Document authorizations from patients for uses and disclosures not covered by HIPAA, and offer a way to revoke consent

  • Sanction workforce members who violate privacy policies

  • Mitigate the harm of privacy violations

In addition, covered entities (and in some cases business associates) must provide ways for patients to:

  • Request restrictions to how their PHI is used and disclosed

  • Access and copy their PHI

  • Request amendments to their PHI

  • Receive an accounting of how their PHI has been disclosed in the past 6 years

  • File complaints

The Privacy Rule requires “appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information” but doesn’t specify what those are exactly.

3.2 What does HIPAA require in terms of security management?

The Security Rule is similar to the Privacy Rule, in that it specifies requirements for covered entities and business associates. The Security Rule is unique in that it only applies to electronic PHI, and it does require specific controls, divided into three categories:

  • Administrative Safeguards are controls related to your people, processes, oversight, and management. You must:

    • Assign someone to be responsible for information security (usually called a “Security Officer”)
    • Assess and manage risk. Predict bad things before they happen, prioritize them based on impact and likelihood, and apply appropriate security controls to reduce those risks to acceptable levels. The Privacy Rule doesn’t have a specific risk management requirement like the Security Rule, but in most cases it’s reasonable to use the same risk assessment model to manage privacy risks alongside security risks.
    • Write down how security is supposed to work beforehand, in the form of policies and procedures.
    • Train your workforce on those policies and procedures
    • Train for incident response and business continuity; test those plans regularly
  • Physical Safeguards require you to protect workstations and laptops, and other devices and media. Data centers and other facilities may be in scope if you control them, but most SaaS companies don’t. Using AWS, Aptible, GCP, and other platforms that offer business associate agreements are sufficient.

  • Technical Safeguards are controls you build (for apps and systems you design) or that need to be present in systems you buy or OSS you run on your own. The Technical Safeguards include:

    • Authentication
    • Access control and session management
    • Audit logging
    • Encryption of data at rest
    • Encryption of data in transit, and
    • Data integrity checks (as needed)

Your specific implementation of these controls should be based on your specific risk model, and the relevant threats you face.

3.3 What does the HIPAA Breach Notification Rule require?

The HIPAA breach notification rule requires that you report certain types of breaches. Covered entities are required to notify individuals affected, the Secretary of HHS, and (for large breaches) the media. Business associates are required to report breaches to their covered entity customers by default, but are permitted to conduct notifications on behalf of the covered entity if the covered entity agrees.

In any case, HIPAA requires entities to provide their required notifications “without unreasonable delay and in no case later than 60 calendar days after discovery of a breach.” In cases where a subvendor business associate is involved, the clock starts over for each business associate in the chain of liability.

What is a reportable HIPAA breach? In HIPAA, “breach” means the acquisition, access, use, or disclosure of PHI in a way that violates the Privacy Rule. The definition of “breach” also has a few exceptions, such as for accidental disclosure within your workforce or to a business associate. There is also a risk-based exclusion for situations in which there is a low probability of compromise.

Finally, only breaches of unencrypted PHI are reportable. HHS borrows NIST encryption guidance to determine standards for encryption that get safe harbor.

In terms of privacy and Security Management, breach reporting is usually handled as part of incident response.

How is HIPAA enforced?

HHS has the ability to investigate violations by any covered entity or business associate. You can be investigated or fined by HHS for any violation, even without a breach. The Office for Civil Rights (“OCR”) publishes enforcement data on their website. You can see the funnel of complaints, investigations, and corrective actions. HIPAA also has criminal penalties, and OCR refers cases to the Justice Department for prosecution as necessary.

OCR has a lot of discretion in deciding how much of a penalty to apply. Each violation has a minimum, a maximum, and a cap on identical violations for the year. Instead of drawing out an enforcement action to the bitter end, most organizations choose to settle with OCR. Long-term corrective actions plans are common.

OCR also conducts audits, pursuant to HITRUST. If you are curious about how an OCR auditor would assess you for HIPAA compliance, you can view HHS’s Phase 2 HIPAA audit protocol.

Note: As of September 2017, it’s not clear what direction the Trump administration with take with the audit program.

Can we get HIPAA certified? Is Aptible HIPAA certified?

Unfortunately HHS does not offer a formal HIPAA certification or validation. There are many consultants and other security professionals who will conduct a HIPAA audit, possibly using the HHS audit protocol, but they cannot guarantee that the results of their assessment will be identical to how HHS views your compliance status.

Aptible maintains an ISO 27001 certification and signs business associate agreements for customers with dedicated Enclave stacks and for Gridiron® customers who want to be able to store incident response information such as logs and screenshots that contain PHI or other sensitive data.

What is HITRUST?

HITRUST is a protocol invented to act as the missing HIPAA certification. It’s widely accepted by large customers in healthcare.

Aptible Enclave and Gridiron are both HITRUST CSF Certified. You can learn more about HITRUST and download a copy of our certification letter here. You can also read our blog post about HITRUST and why SaaS companies might be interested in achieving HITRUST certification for their products.

How does Enclave® help with HIPAA?

Aptible Enclave® is a container orchestration platform built for developers that automates security best practices and controls needed for deploying and scaling Dockerized apps and databases that process regulated data, such as HIPAA PHI. You can use Enclave® with a business associate agreement for dedicated environments.

Our HIPAA Security Rule - Standards & Division of Responsibility resource explains how Enclave® automates aspects of the HIPAA Security Rule.

As you read through the HIPAA requirements and start to assemble them into an active, operational privacy and security management program, you will realize that HIPAA leaves a lot out. In this sense, compliance with any set of requirements should be viewed more like a starting point, rather than a finish line. For example HIPAA doesn’t specify implementation details for requirements like (just to take two) audit logging or data backups.

HIPAA also lacks explicit requirements for many fundamental best practices of a good, modern security and privacy management program, such as vulnerability management, encryption key/cert management, network topology and isolation, etc. You’re expected to determine what those “reasonable and appropriate controls” are on your own.

Enclave® helps you deploy Docker containers while meeting both explicit HIPAA requirements and implicit requirements, such as industry best practices. Enclave® is ISO 27001-certified, making it easy to show your customers that your cloud computing stack meets an international standard for security management.

Enclave® helps product-focused developer teams scale security and DevOps. Whether your goal is to build and deploy a single app or run millions of Docker containers at scale, Enclave® can help your team do more, faster.

  • Automatic Container Recovery, Memory Management, easy database replication, and distribution of your containers across AWS Availability Zones help build resiliency into your architecture and prevent small problems from becoming big ones
  • Aptible’s SRE Team monitors and responds to Enclave® incidents (such as AWS outages, host failures, potential intrusions, etc.) 24/7, meaning fewer wakeups in the middle of the night
  • 2-factor authentication with support for FIDO U2F security keys and granular role-based access controls make it easy to secure backend access
  • Comprehensive documentation, use of popular OSS tools (such as Docker, PostgreSQL, MySQL, etc.) and “amazing” technical support from the Enclave® product team make it easy to make good engineering decisions that minimize technical debt
  • Hardened hosts and automatic security updates help you stay on top of patching
  • Set-and-forget features like automatic database backups and Managed HTTPS Endpoints mean less work for your team
  • Advanced networking options like VPC add-ons, managed VPNs, IP filtering, and internal endpoints give you flexibility and let you integrate Enclave® with other cloud environments as you scale
  • Easy logging setups, container performance metrics, SSH access, direct deploys from Docker images, and secure defaults help your team move fast without breaking things

How does Gridiron® help with HIPAA?

Aptible Gridiron® is a SaaS-based security management platform, designed for developer teams. Customers use it to build and run security and privacy management programs and meet requirements for frameworks like HIPAA, SOC 2, ISO 27001, and others. Aptible offers a business associate agreement to customers with Gridiron® HIPAA protocols, so Gridiron® can store incident response forensic evidence that contains PHI.

Our HIPAA Security Rule - Standards & Division of Responsibility resource explains how Gridiron® automates aspects of the HIPAA Security Rule.

The Gridiron Compliance Model illustrates a core set of security and privacy management functions that Gridiron® helps you implement. Gridiron® gives your team a single source of truth for security management activities, evidence, and auditing.

  • The Gridiron® Risk Engine makes it easy to build a risk model for your organization, and manage risks over time. See where you need to improve, and get recommendations on controls to implement.

  • The Gridiron® Policy Engine makes it easy to generate custom policies, procedures, plans, and other audit artifacts that meet requirements for HIPAA (and SOC 2, ISO, etc.), and to distribute them to your workforce.

  • The Gridiron® Training Engine helps you build, deliver, and audit custom security and privacy training. Incident response and business continuity training help you anticipate and prepare for security and availability incidents before they happen.

  • Gridiron® Tools and Reports help you track in-scope assets, vendors, customer contracts and BAAs, security incidents, and regular security checks. Built-in metrics and reporting help you assess whether your security program is working.

Additional Resources

Defense in Brief

Sign up to get the best in security and compliance delivered monthly.

From the Blog

Webinar Recap: GDPR - Practical Advice for SaaS Companies

Henry Hund on May 21, 2018

During this webinar we covered the practical, actionable steps to take to actually become GDPR compliant. Get the recap, recording, and slides.

Read more

Aptible Enclave and Gridiron are HITRUST CSF Certified

Chas Ballew on March 13, 2018

Aptible has achieved HITRUST CSF Certification for Enclave and Gridiron. This post shares a bit more about what this means and how you can think about your own path to certification.

Read more

Aptible SOC 2 Type 2 Report Now Available

Chas Ballew on March 5, 2018

Aptible has achieved SOC 2 Type 2 compliance for the security and availability Trust Service Principles. This post shares a bit more about what this means and why this type of compliance is so valuable to B2B SaaS companies in specific. We’ll also share how you can start building a security program that meets SOC 2 requirements and is audit-ready.

Read more