HHS recently published its June cyber newsletter, which discusses security concerns that HIPAA-covered entities and business associates (BAs) must take into account when implementing file-sharing and collaboration tools.
As a reminder, HIPAA’s security rule requires covered entities (and their BAs) to implement security measures with respect to protected health information (PHI) that is stored electronically. Covered entities (and BAs) must implement a security management process, which includes conducting a risk analysis to identify threats and vulnerabilities to electronically stored PHI (ePHI), and implementing mitigation procedures.
In the newsletter, HHS provides examples of how cloud computing and file sharing services can introduce additional risks to the privacy and security of ePHI — risks that employers subject to HIPAA’s security rule must identify as part of their risk analysis process and mitigate as part of their risk management process. Specifically, misconfigurations of file sharing and collaboration tools, as well as cloud computing services, are common issues that can result in the disclosure of sensitive data, including ePHI.
Finally, the newsletter includes a summary of HHS’s cloud computing guidance (covered in our Oct. 18, 2016, Compliance Corner article entitled “HHS Provides Guidance on Cloud Computing in Relation to HIPAA Privacy and Security”) and links to HIPAA and cloud computing resources.
In summary, the newsletter contains no new employer obligations, but it can serve as a great resource for employers and their BAs when it comes to HIPAA security rule compliance. Employers should work with outside counsel and their technology partners in developing HIPAA security practices and procedures, and should incorporate the HHS’s monthly cyber newsletters with respect to specific practices relating to cybersecurity.
Guidance on HIPAA & Cloud Computing »