In the third installment of our series on the Laws of Cloud Computing, we take a look at the United States, where the laws of cloud computing, most notably data privacy laws, are varied and originate from numerous sources, both state and federal. At the federal level, regulation has largely been field-specific, providing detailed standards for particular kinds of electronic data, such as medical records, data from children, and financial information. In our next few posts we’ll explore a few of these laws and how they do (and don’t) work for the cloud. We’ll begin with medical patient data, often known in the United States as “protected health information,” or “PHI.”
Medical Patient Data in the Cloud
In recent years, large numbers of medical providers have adopted electronic health record (“EHR”) software systems, spurred by federal incentives under the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH Act”). Many of these EHR systems are cloud-based, meaning that patients’ personal health records are stored not on a server at their physicians’ offices, but rather “in the cloud” (i.e., at remote server farms controlled by hosting companies). Among the requirements for being a “certified” EHR, thereby qualifying the physician to receive federal incentive payments under the HiTECH Act, are certain data security standards, including with regard to cloud-based platforms. Federal regulations also have incentivized the development of “patient portals” to enable patients to have some level of direct electronic access to at least some of their own medical data stored in these EHR systems. More and more of the patient-provider relationship, therefore, is moving online and into the cloud.
The U.S. Department of Health and Human Services (“HHS”) has developed detailed regulations extending HIPAA protections to the cloud context. Health plans, clearing houses, and healthcare providers, as “covered entities,” have always been required to comply with the HIPAA Security Rule and their business associates now have a direct obligation to do so as well due to relatively recent modifications to HIPAA regulations. Under the HIPAA Security Rule, both covered entities and business associates, must: (1) ensure the confidentiality, integrity, and availability of all electronic protected health information the it creates, receives, maintains, or transmits; (2) protect against any reasonably anticipated threats or hazards to the security or integrity of such information; (3) protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required; and (4) ensure compliance with this subpart by its workforce.
HHS recognizes a narrow “conduit exception” to these HIPAA requirements, which extends to the electronic equivalent of the U.S. Postal Service, such as internet service providers that provide only data transmission services. To fall within the exception, however, the data transmission service must only transmit the data and not have access to it, except on a random or infrequent basis. A company that maintains electronic protected health information on behalf of a covered entity (or as a subcontractor of a business associate) cannot avail itself of the conduit exception, even if it does not actually view the information. As a result, cloud providers that store or maintain electronic protected health information will be deemed to be business associates and must comply with the requirements of the HIPAA Security Rule.
Notably, while HIPAA’s security requirements may extend to providers of cloud services, HIPAA does not create a private right of action that would enable patients to enforce those requirements themselves. Instead, patients must turn to the Office of Civil Rights, which can investigate complaints, conduct compliance reviews, impose sizable civil monetary penalties, and refer possible criminal violations to DOJ, or to their state attorneys general, who have the authority to bring civil actions for HIPAA violations. Creative plaintiffs’ attorneys, however, have begun to work around the “no private cause of action under HIPAA” rule and after recent (not cloud specific), high profile data breaches have begun to bring claims (typically as class actions) for negligence; negligence per se; breach of contract; breach of implied contract; unjust enrichment; bailment; conversion; invasion of privacy; unfair competition; and state consumer protection, customer record, data breach, and medical data laws.
In light of recent data breaches involving healthcare data, some may be left wondering, in the words of one physician friend, “when did HIPAA become about cyber crime and who wants to steal my medical data?” Arguably, the primary goal of the 1996 Kessebaum-Kennedy Act (aka HIPAA) was to amend the tax code to help working Americans keep their health insurance if they changed jobs. Remember, the “P” in HIPAA is for “portability” – not “privacy” or “piracy.” Covered entities didn’t even have to comply with the HIPAA Security Rule until April 21, 2005.
As more and more data has migrated online and onto large, central, and temping locations like corporate IT systems and the server farms that house the cloud, personal health information – like all other data – has now become the target of hackers and cyber criminals. Despite repeated warnings by the FBI that healthcare systems are at risk for cyber intrusions and three major cyber attacks on healthcare companies in the past year, (http://www.nytimes.com/interactive/2015/02/05/technology/recent-cyberattacks.html) (http://www.washingtonpost.com/blogs/wonkblog/wp/2014/02/05/cyberattacks-are-on-the-rise-and-health-care-data-is-the-biggest-target/)
There is still no simple answer to who wants to steal medical data, why they want to do so, and if they are even targeting PHI versus other data that happens to be held by healthcare companies. Theories range from state-sponsored espionage groups based in China, criminals after credit card information and social security numbers, cyber-spies seeking the healthcare records of corporate leaders and government leaders, hackers up for a challenge or looking to cash in on medical data, those seeking to commit health care fraud, to (creatively) those manufacturing knock-off pharmaceuticals seeking to compile drug utilization data for competitive advantage:
Because of the piecemeal approach to data security regulation in the United States, when PHI is held by a covered entity or a business associate, it is protected by HIPAA, even though it may not be subject to any regulation (or the same degree of regulation) when held by another kind of entity. HIPAA, therefore, has morphed from legislation aimed at healthcare reform to a cybersecurity regulation.