In October 2016, federal authorities released two important guidance materials for businesses handling health information to consider. The Department of Health and Human Services, Office for Civil Rights (“OCR”) released guidance on (1) the application of HIPAA to cloud computing, and (2) the importance of the Federal Trade Commission Act (“FTC Act”) in the context of sharing protected health information (“PHI”). These materials are important because OCR is responsible for enforcing the Health Insurance Portability and Accountability Act (“HIPAA”), and businesses subject to its jurisdiction will be expected to conform their practices accordingly.
HIPAA and Cloud Computing
In health care, cloud computing solutions are an increasingly popular means of processing, storing, securing, and making patient health information available to those who need it. As a result, OCR set out to clarify how HIPAA applies to cloud solutions when used by businesses processing PHI, including the following key takeaways:
- When “covered entities” (certain health care providers, health plans, and health care clearinghouses) engage cloud service providers (“CSPs”) to create, receive, maintain, or transmit electronic PHI (“ePHI”) on their behalf, the CSPs are acting as “business associates” to the covered entities, and are thus also subject to HIPAA.
- CSPs may be business associates even where they maintain only encrypted ePHI and do not have access to the decryption key (i.e., do not have an easy means of accessing ePHI held on behalf of the customer).
- CSPs generally cannot utilize the “conduit” exception to claim that they are not business associates. This exception applies only to transmission services where any maintenance of PHI is temporary and incidental (e.g., the postal service). Since most CSPs that provide transmission services for ePHI also provide storage, this exception will usually not apply.
These and other points addressed in the guidance make it clear that a wide range of cloud services are, in fact, subject to HIPAA compliance considerations. The full guidance can be found on OCR’s website, available at this link.
Health Information Sharing and the FTC Act
While most businesses that collect and share health information have considered their compliance with respect to HIPAA, in guidance developed in collaboration with the Federal Trade Commission, OCR made it clear that those businesses must also consider the FTC Act, which prohibits unfair and deceptive practices with respect to consumers’ information more broadly.
Under HIPAA, most sharing of PHI that is for a purpose other than treatment, payment, or health care operations requires the related individual to execute an “authorization.” Along with specific statements and elements that are required under HIPAA, the authorization must be written in plain language. Authorizations must include information regarding the purpose of the disclosure, the information to be disclosed, the intended recipient, and an expiration date for the permission to disclose.
The guidance clarified that, while an authorization may be required in these circumstances, the information surrounding the authorization must also avoid creating a misleading perception in violation of the FTC Act. For example, a prominent statement that a consumer’s information will be kept confidential may be confusing if the consumer is separately asked in a less visible fashion to provide their authorization to share their information.
Similarly, businesses should avoid presenting consumers with requests in a confusing fashion, such as a stack of papers where the first asks for permission to share information with the consumer’s doctor, while another requests permission to share information with a pharmaceutical firm.
This guidance reinforces the need for businesses handling health information to strictly adhere to the compliance measures identified under HIPAA for information sharing, and also ensure that their overall information handling practices are presented in a manner that is clear and conspicuous to the individual. The full guidance is available here.