Online data backup services are a mainstay for many therapists who use a paperless office, and these services are starting to cater to our market in greater and greater numbers. The new HIPAA rules have created a snag for those of us wishing to use these services without spending an arm and a leg, however.
The Office of Civil Rights (OCR) — the folks who are now charged with enforcing HIPAA and who authored the January, 2013 Final Rule for HIPAA and HITECH — have made a bit of a mess.
The Final Rule made several changes to the rules for Business Associates. BAs (it’s an unfortunate acronym, I know) are third parties who handle your protected health information on your behalf. Examples are billing services and Internet electronic health record providers. If you use such a company without a Business Associate contract, that’s a HIPAA violation. (Need more? See “What is a HIPAA Business Associate Agreement?“)
My concern is with rule changes around online data backup services, which are used to automatically back up the data on our computers. Before the 2013 Final Rule, it was clear that we could use these services without a Business Associate contract if our data was properly encrypted before we sent it to the backup service. As “cloud”-based paperless offices have become more popular, several services that use this encrypt-before-you-send scheme have popped up, including Carbonite’s self-managed key service, Swiss Disk, and Sookasa. This is a good system and a secure one, in my opinion. It isn’t broken, and certainly doesn’t need to be fixed.
Here’s the rub: OCR representatives have made statements at several seminars, and in an interview with Rob Reinhardt, that any cloud service provider who “maintains” your information — even if they “don’t look at it” — must be a Business Associate. In reality, this declaration contradicts their own brand-new law. Such guidance would cause ISPs — the companies that provide our Internet connections — and email providers to become BAs. The Final Rule explicitly states that ISPs are not BAs, and the law also clarifies that it is acceptable for clients to provide informed consent for you to send protected health information in emails. That would not be possible if an email provider were a BA.
It is not clear if OCR intended to turn all online data backup providers into BAs regardless of how they handle their data. In fact, given the way their statements interact with the law, it seems likely that they are not aware of many of the technical implications of the new rules or guidance, including the fact that their guidance would eliminate the encrypt-before-you-send scheme of BA-less online backups. Indeed, services who provide this scheme have been soldiering on despite OCR’s statements and despite the looming September 23rd deadline for updating Business Associate contracts.
As September approaches, I will be interested to see how the industry responds to this situation. The cloud computing industry may petition OCR to clarify their statements. Or companies may start to provide Business Associate contracts. Or OCR may decide that they simply do want as many companies as possible to qualify as Business Associates.
If you use an online data backup provider without a Business Associate contract, and you wish to take action to deal with these changes now or in the near future, here are some suggestions. You can…:
- Switch to an online data backup provider that provides a BA contract. This will likely be more expensive.
- Switch to making your own backups with an external hard drive, thumb drive, or other storage device. You’ll need to keep this device secured, and I have some suggestions for encryption software here. You can also buy external hard drives that have encryption built into them.
- Use a cloud-based electronic health record system. If client records are the only confidential data you have to backup, then these cloud-based record systems will maintain backups for you, freeing you from having to worry about the issue. Such systems usually are happy to provide Business Associate contracts.
- Let it slide until OCR and/or the cloud data backup companies get it figured out. This would be a pretty risk-tolerant approach, but an understandable one. It seems to be the approach that most of the data backup companies are taking.
Whatever the outcome here, it is likely that clinicians will still be able to find affordable, reliable ways to backup our data, even if we have to wait for OCR to figure out what they’re doing.
Update (9/9/2013): At least one major online storage company has informed me that they will start providing Business Associate contracts. Updated information, as well as information about how to meet the Sep 23rd, 2013 HIPAA compliance deadline is in our LinkedIn group here.