Chris Apgar, CISSP

Word of Warning: Does Not Sign Business Associate Agreements

A few days ago, after making multiple attempts on behalf of a client to verify and clarify how supports HIPAA compliance, specifically participating in Business Associate Agreements, I found that they do not. In fact, they do not consider themselves subject to HIPAA regulations, regardless of the possibility of PHI being stored on the platform. Therefore – as you’ll see in the exchange below – they “do not sign BAAs.”

So, a warning to those who use and store recordings that include PHI on the platform – is unwilling to execute a business associate agreement with covered entities and business associates. If you need a video communications platform that supports the storage of PHI and is HIPAA compliant, it’s wise to look elsewhere.

Below is a reprint from a warning I posted on LinkedIn just the other day. Please feel free to share your experiences of similar situations and vendors with me in the comments area on that post. Here’s my email exchange with

Original Question/Comment

I’m attempting to get an answer one last time. I represent a mutual customer who currently uses who is required to comply with HIPAA. Given the fact that protected health information (PHI) may be stored on‘s platform in the form of recordings, is required to sign a business associate agreement with my client. If is unable or unwilling to sign a business associate agreement, I need to recommend that my client change to another conferencing platform such as Zoom or WebEx who will sign a business associate agreement.

On Dec 2, 2018, at 6:42 PM, Support wrote:

Hello Chris,

Thank you for contacting

We actually do not sign BAAs because our services are not HIPAA compliant as HIPAA compliance, per se, is applicable only to entities covered by HIPAA regulations (e.g., healthcare organizations).

That being said the technical security controls employed in the service and associated host and client software can meet or exceed HIPAA technical standards. But again, we are unable to sign any BAA’s.

If we have answered your question, we will send you an email in the next few days asking for your feedback. We value your opinion and thank you in advance for taking the time to click on the survey link and letting us know how your experience was with our team.

Thanks again for using

L***  | Customer Support Representative
LogMeIn, Inc.

My reply to

You ( answered my question. My client will be looking for another vendor. While the functionality may be there to secure the data, my client would be violating HIPAA by continuing to use the platform. As the US Department of Health and Human Services, Office for Civil Rights has stated, claiming to not be a business associate doesn’t mean you actually aren’t one. I also feel a need to remind covered entities and business associates they shouldn’t be contracting with if the platform will be used to store recordings that contain PHI.

Chris Apgar, CISSP

My Recommendation

Ultimately, I had to recommend to the client that they not use but check into online video and document storage with vendors who will sign BAAs, such as Zoom or Webex. The instance serves as a reminder that no matter how technically secure a vendor professes to be, if you plan to use their platform or services for anything pertaining to PHI, there needs to be a BAA in place, documenting that they follow HIPAA regulatory requirements as relates to PHI protection. And as I indicated to the customer support representative above, claiming that you’re not a business associate doesn’t magically transform you into not being one!

Chris is a frequent LinkedIn Pulse contributor. You can connect with him here, and you can follow Apgar and Associates on LinkedIn here.

Privacy & Security Forum Update: OCR Activity, Audit Protocols, Ransomware & the HIPAA Security Rule

Julia and I had the pleasure of attending the 2018 Privacy & Security Forum a couple of weeks ago.  One of the sessions I attended was focused on what’s happening at OCR these days.  The speaker was Roger Severino, Director of OCR, and the moderator was Adam Greene, partner at Davis Wright Tremaine, LLP.  I heard about new OCR activity, got an answer to my question about the future use of the OCR audit protocols, and key OCR takeaways.  I have the pleasure of passing the Forum’s highlights on to you.

OCR audit protocols use.

The big news to me was the answer to one of my questions about OCR audit protocols.  For over a year, we’ve been saying that for investigations and enforcement activity that it’s likely the OCR will use the audit protocols that were updated from the phase 2 audits.  I took the opportunity to ask the top authority at OCR about future use of the protocols.  Mr. Severino confirmed – that’s just what OCR intends to do and may already be doing so.

Other OCR activity includes:

  • Updating HIPAA/FERPA guidance (jointly with the US Department of Education)
  • Issuing a notice of proposed rule making (NPRM) request for information (RFI) HITECH Act accounting of disclosures language (the last NPRM was not well received by the industry and privacy advocates)
  • Evaluating ways OCR can distribute funds received as part of enforcement related civil monetary penalties and settlement agreements to victims of breaches of their PHI

That’s a fair amount of activity.  The only caveat is we don’t know how soon “soon” is.

FBI and FTC weighs in on ransomware attacks.

I also attended a session that featured speakers from the FBI and the FTC.  Along with Mr. Severino the FBI said the first step covered entities and business associates should take is to contact the FBI if you’re attacked by ransomware.  The FBI has agents in place to investigate ransomware and help covered entities and business associates get their data back without paying a ransom.  This is something to keep in mind when you’re updating your security incident response plans especially given local law enforcement may not have the resources to assist with an investigation.

Is the HIPAA Security Rule being updated?

There has been much talk over the past few years about the need to update the HIPAA Security Rule.  The Director indicated that he things there is nothing fundamentally broken with security rule so it’s unlikely the rule will be amended any time soon.  The Security Rule is technology neutral and is flexible.  It hasn’t become obsolete due to changes in technology and there has been a lot of change since the rule was published in 2005.

OCR phase 2 audit results and plans for enforcement.

Mr. Severino shared that OCR was finalizing phase 2 audits and results will be published soon.  As far as the audit program goes, he indicated that there would likely be no more formal audits.  Instead, the audits would become part of OCR’s enforcement activity.  He believes this promotes an enforcement mindset with a higher-level rigor, similar to enforcement activity conducted by the US Department of Justice.

An audience member asked if enforcement would continue unabated or would be curtailed under this administration.  The answer: OCR is still on track with enforcement.  Mr. Severino would like to see enforcement go down as a reflection of the expansion of a culture of compliance, which OCR has been pushing since 2011.  He did add that the industry was far from there today.

Adam Greene asked Mr. Severino to provide three takeaways for the audience.  The Director said:

  1. You need to treat PHI as if it was a bar of gold. That includes conducting periodic risk analyses, encrypting PHI and securing mobile devices.
  2. “We’re from the governments and we’re here to help” – tap into OCR resources through its website, the most popular website for the US Department of Health & Human Services.
  3. “Help us help you” – review NPRMs, RFIs, and other information OCR would like input from the industry about and provide feedback. Periodically check to check on opportunities to provide OCR feedback.

All in all it was a great conference and good to get information from the proverbial horse’s mouth.  Julia will be sharing information about some of the sessions she attended.  Look for more in the weeks to come!


Communication Disconnect: Sales Promises & the Information Security Audit

Has this happened to your company? The sales team has a hot prospect who wants them to conduct an information security audit. Sales promises that not only can that happen, but also that it will happen by a specific deadline. The problem? No one checked with the C-suite or operations management before committing.

This communication – and timing – disconnect between sales and operations can cost companies both prospects and current customers. Information security is traditionally implemented and maintained behind the scenes. In today’s market, particularly for healthcare vendors, good market positioning means that information security has to be front and center.

As an example, the demand for a SOC 2 audit report is on the rise. Healthcare vendors and other service organizations are being asked for it as proof of a sound information security program. We work with clients as they prepare for and proceed through SSAE 16 SOC 2 audits. In cases where vendors engage a CPA firm conduct a SOC 2 audit, we find that the decision to go through an information security audit comes from two places: the C-suite and sales.  The C-suite sees the audit as a way to retain current customers and to maintain marketability.  The sales team looks at it as another strong sales point.

What happens when the sales team over-promises?

If the sales team sells a product or service based on the assumption an information security audit can be done without checking in with its IS department, they may find themselves in a huge bind. It’s even more problematic if the company executed a customer contract along with the promise to conduct a SOC 2 audit. Imagine how that will come back to bite the company when the customer demands a copy of the nonexistent report!

In one instance, a company we’ve worked with in the past lost out on a multi-million dollar deal based on an over-promise.  Sales promised they would complete a SOC 2 audit, that they then delayed for a couple of years. The prospective client walked away from the table.  Remember, the proverbial grapevine works well, healthcare industry or otherwise. If you’re doing a great job, people will hear about it. If you fall on your face, they’ll hear about it faster.

Sales teams like to run full steam ahead, promising results, valuable products and enhanced service.  That’s a good thing. That’s how companies stay in business and continue to grow.  Often, though, IT / IS is left trying to figure out how to keep the promises made.

Vendors for healthcare and other service organizations are under mounting pressure to prove customer data is safe and secure. Information security is a market driver.  If sales and the information security team aren’t on the same page, the outcomes could be disastrous for business. So communicate amongst yourselves! Sales, IT and the information security team.  Actively involve the C-suite. Then you can be assured the company is steered in the right direction, with the right resources. When promises measure up to delivery, everyone is happy.

Privacy and Security Training: Less hype, less myth, more HIPAA realities.

I’m often taken aback by some of the marketing material I receive from privacy and security training vendors.  This is clearly a “buyer beware” moment.  The review of a training vendor’s material can give you some insight into their credibility. Particularly if you’re already somewhat knowledgeable of the material that needs to be covered in any privacy and security training session you’re looking to enroll in.  The training risk comes when someone doesn’t have a good grasp of the material, because they may well be being fed outdated information or worse, partial truths about HIPAA.

I may be a little sensitive because of the type of privacy and security training that we and some of our partners provide. Timely, current event-relevant, regulation-sensitive training. But in this instance, we received a vendor mailing focused on email integration and texting in the healthcare communications environment. Sounds entirely reasonable, right? Unfortunately, the marketing copy reflected outdated or even misleading information.

Marketing hype or regulatory reality?

The vendor’s privacy and security training marketing materials included these topics and observations, presented as facts:

  • Email and texting are in the early adoption stages in healthcare settings. Texting is becoming the preferred engagement, overtaking paging.
  • Mobile phone use for texts or calls relating to payment, to provide critical healthcare information or other official purposes is a no-no for providers and violates HIPAA.
  • Risk evaluation and management related to business communication that may or may not contain PHI is under scrutiny. Improper exposure may be considered an official breach.
  • Violation enforcement can include fines up to $50,000 per day and more.
  • Impacts of the Telephone Consumer Protection Act (TCPA) limit the use of cell phones for payment and healthcare purposes unless consent is obtained.

Let’s take it from the top. First of all, texts and emails are common in today’s healthcare environment. While the topic is worth addressing as part of ongoing training (and hopefully touches on serious email threats like phishing), it’s not a new issue.

[Read Phishing: Help Good Employees Avoid the Hook of a Cybersecurity Nightmare]

Secondly, clarification is in order when it comes to texts. HIPAA doesn’t require covered entities to obtain consent before, say, sending an appointment reminder via text message. I do, however, think it’s a courtesy that should be extended because not everyone is comfortable with anything to do with their health being texted to them.

Now to take it a step further, if the email or the text message is encrypted, there are really no HIPAA consent requirements. If the individual requests texts and emails be sent unencrypted, covered entities do need to document that the individual making the request has been informed of the dangers associated with unencrypted transmission of PHI.  That’s not the same as obtaining consent.

When it comes to risk evaluation and risk management, yes those are hot items. And while I do wonder what an “unofficial” breach is, I agree the improper exposure of PHI may result in a reportable breach.  Please keep in mind that if the exposure is unintentional, like a misdirected email, it may or may not be a reportable breach. That’s where the HIPAA Breach Notification Rule’s four factor risk assessment comes into play.

Here’s where I seriously part ways with the material: the violation enforcement information and the penalties.

If you’re doing the right thing, discover a breach, follow the required investigation and notification process and you timely report the breach to OCR, you likely won’t be fined by OCR.  Now, if there is a breach and OCR finds you haven’t conducted a risk analysis, haven’t adopted current and enforceable policies, haven’t trained your staff and so on, then yes, chances are higher that you’ll be paying in the form of a penalty or monetary settlement.

As far as the $50,000 per day, OCR can levy penalties up to $50,000 for a single violation up to a maximum of $1.5 million per calendar year.  There’s no reference in any OCR guidance that violations are counted in days. They could in fact be counted as the number of records breached.  If, as an example, 1,000 patients’ PHI was breached, OCR could count that as $50,000 X 1,000 (if you’re found guilty of willful neglect).  Because the penalty amount calculated this way would exceed $1.5 million, the maximum penalty amount would be levied unless a lower amount was negotiated between OCR and the breaching entity.

Finally, the TCPA. I need to point out that the TCPA was enacted in 1991 – pre-HIPAA – and addressed robocalls. It had nothing specifically to do with text messages and healthcare.

The bottom line on healthcare privacy and security training.

Emails and texting to communicate healthcare information has been going on for years. Keep in mind that yes guidance from OCR (“Right to Access”) emphasizes the need for covered entities to communicate effectively with patients there is no reference to text messaging or emailing other than to state that patients can request communications be made using unencrypted email as long as the risks associated with it are clearly communicated.  There is zero reference to text messaging in the guidance or in HIPAA itself.

I wholeheartedly agree that you need to regularly conduct privacy and information security training with your workforce. I also agree that you need up-to-date privacy and security training documentation.

I’m concerned that there are entities not up on the risks and how those risks are associated with patient communication. The first edict from HHS that applies to the use of email to communicate with patients dates back to January 2013 (the Omnibus Rule) and February 2014 (the HIPAA CLIA Rule) respectively.

Training vendors need to be vetted. If you or your staff are going to take your valuable time to attend any vendor-offered training, you need to know that it has more real-world application to privacy and security risks, engages employees on how they can protect ePHI, and accurately reflects regulatory requirements. More HIPAA realities, less marketing myth.

What the Russian Indictment teaches us about cybersecurity.

Aside from the sensationalism of alleged espionage by a foreign power, the cybercrime accusations listed in the Mueller investigation’s indictment document should be a warning to businesses everywhere. It’s an object lesson in “this could happen to you” cybersecurity. Russian cyberwarfare notwithstanding, nation state attacks on US entities are common. The US CERT site has a running list of North Korean “malicious cyber activity” to prove it.

It’s rare that the general public gets to see the “how” of a cybersecurity breach. Organizations typically stick to generalities when they own up to data breaches. Notice that the cyber-attackers used every tool at their disposal to locate and exploit vulnerabilities at the Democratic National Committee and Clinton campaign: spear phishing to steal passwords and gain network access, spoofed security notifications and email accounts, hacking tools and malware. This single-minded cyber-attack is a prime example of how things really play out when hackers want to get in your back door.

Every organization needs to take the cautionary message to heart. Because to mitigate the risk of a data breach recurrence, you not only need to know what happened, but also how and why it did. Think about it. What if you’re a healthcare provider? People’s lives are at stake.

3 Fundamental Tips for Risk Mitigation

  1. Implement perimeter controls to detect breaches and other cyberattacks such as ransomware. How else will you know a phishing attack has occurred? When the system takeover happens? Use appropriate technical perimeter controls to detect an attack early on so you can take immediate action.
  2. Launch system redundancy while you resolve the breach or security incident. You need to take the system down to root out every instance of malware, which means business continuity measures come into play. If you can launch your backup, business operations can continue with only a small blip.
  3. Engage computer forensic experts to get an image of the drives. Sure, maybe you can wipe drives as part of eliminating ransomware. Now what? You have no way to find out how it happened or why.

The above tips make the assumption that you have the basics in place, like security incident response and business continuity plans (which go hand-in-hand, by the way). If you don’t have functioning fundamentals, the ensuing scramble after a data breach or cybersecurity incident starts to look like that classic vaudeville sketch “Who’s on first?”

Chris Apgar, CISSP, is a nationally recognized expert and educational instructor on information security and privacy, as well as a frequent instructor, panelist and panel facilitator for leading national industry groups in healthcare, compliance and security.

Minor Privacy Rights: Where Feds & State Diverge

In most instances, HIPAA rules apply for adults and minors. That’s to say, the federal regulation sets the bar. HIPAA treats minors as adults when it comes to privacy rights if they’ve reached the age of informed consent except when state laws say otherwise. Some state laws permit or require disclosure to parents or guardians regardless.

For example, in Oregon, minors reach the age of informed consent at age 15, with exceptions.  Those are: Parents or guardians can receive information on the minor up to age 18, unless the minor gets married or has been emancipated. Oregon law trumps HIPAA in those cases.

To understand some of the broader implications, it helps to know that covered entities determine what makes up an individual medical record (aka designated record set, or DRS). So when a parent or guardian wants access to a minor’s record, they have it (unless state law trumps it). Oh, and divorce doesn’t change that ability get a copy of a minor’s medical record.

Minor privacy rights can vary according to the medical issue, as well. For instance, privacy rights as related to alcohol and chemical dependency diagnosis and treatment, which falls under the most stringent federal privacy laws. In these cases, the most strict law prevails when it comes to privacy or access to their PHI, which includes minors if they’ve reached the age of informed consent.

In some states, like Oregon, there are exceptions. For example, although the Oregon age of informed consent is 15, when it comes to:

  • outpatient mental health, alcohol and chemical dependency treatment, the age of informed consent is 14
  • HIV/AIDS information and STDs, the age of informed consent is from birth
  • Birth control, the age of informed consent is from birth

So when logic doesn’t apply, but the law does, what do you do? Be sure that you understand all of the ramifications of a minor’s privacy rights under both HIPAA and your state laws. That means not only must you train and re-train staff in that understanding, but you also need to pay close attention to your legislature’s activities. Document disclosures and authorizations and know what your liability is related to either.

Chris Apgar, CISSP delivers training webinars on regulations and best practices related to HIPAA, HITECH and cybersecurity issues. To learn how Apgar & Associates privacy and security expertise can help your organization, give us a call at 503.384.2538.

How can you avoid the costly price tag of unauthorized ePHI access?

We’re talking millions. Take a look at the largest HIPAA-violation related fines of 2017. Companies like dialysis-giant Fresenius, Memorial Healthcare Systems, and 21st Century Oncology (21CO), which operates 143 centers nationwide, have been fined millions thanks to unauthorized access (21CO has filed for Chapter 11 bankruptcy). In 21CO’s case, the access was through a vulnerable back door to their IT systems, but for Fresenius and Memorial Healthcare Systems, unauthorized ePHI access was employee-related.

When you look at the heart-stopping price tag of non-compliance, the question becomes: Could the unauthorized access been avoided? Most would argue – and I’d agree – that no system or organization is 100% secure. However, there are ways to mitigate risk, both human and technology. Let’s start with the human factor: your employees. Here are a few tips to pass along:

5 Ways Employees can Protect ePHI

  1. Be sure no one can see your screen. Whether at your desk or using a mobile device, if you’re accessing PHI, protect it from view. Angle your desk – or your body – so that no one can inadvertently see the sensitive data.
  2. Keep quiet about patient records. Just because a recent emergency visit was the stuff of urban legend doesn’t give you the right to share it.
  3. Protect your password and make it strong. A phrase that combines letters, numbers and special characters is a commonly used best practice.
  4. Stay off public wifi when accessing ePHI. It’s tempting to catch up on work at the local coffee shop or the airport, but public wifi is a notorious favorite of hackers.
  5. Immediately report any suspicious activity to your IT department. Strange email? Don’t click the link or open the attachment – call IT.

Things get a little more straightforward when you step into the technology side. That’s not to say it’s easier. But common security controls are just that, common. Data encryption for static and in-transit data, keeping up with software security patching, frequent system backups, a secure messaging platform and access control audits – all place significant barriers in front of sensitive healthcare data.

Where does responsibility for healthcare data breaches lie? Workforce, cybercriminals, technology vulnerabilities, lack of training – any and all can place ePHI at risk. While there is no magic pill to secure healthcare information, there are many ways to manage the risk. To learn how Apgar and Associates can help you manage risk and ramp up privacy and security measures, contact us today.

Phishing: Help Good Employees Avoid the Hook of a Cybersecurity Nightmare

The sneakiest of cyber-attacks, phishing has grown in sophistication even as organizations work to tighten cybersecurity programs. Phishing attacks have always been an easy backdoor into an organization’s – or individual’s – network. With one click as you rush through daily emails, you can unleash malicious software into the system.

Phishing fools the best employees. Impersonation has become slick – emails look nearly identical to those you’d get from a bank, shipping service, or online retailer. Even government agencies get used to perpetuate the scam.  Links or attachments that look benign, like receipts, tracking links or spreadsheets, contain nasty malware that can bring down a system and halt business operations until it’s contained.

6 Phishing-wary Best Practices

  1. Recognize the sender’s email address. Then stop. Look again, and don’t click on the link or open the attachment. If the topic seems even a hair out of character for the sender, it may be coming from a hacked account.
  2. Hover your cursor over the suspect link. If the heading says it’s from your bank but the web link that you see when you hover your cursor over the link doesn’t match, don’t click the link!  It would be a good idea to report these scams to your bank or other legitimate sender you may communicate with.
  3. Don’t recognize the email address or sender? Definitely don’t click. And perhaps let your IT department know a strange email is in your Inbox.
  4. Weren’t expecting an email from this sender? Use the telephone! Yes, an old-fashioned call to verify that the email is legitimate could save your company a world of hurt.
  5. Pay close attention to emails directing you to websites that look just a little off. Fake sites often impersonate real ones.
  6. Update software security and anti-malware software when it’s released. Don’t swipe it off the screen or keep clicking “install later.” That’s the kind of procrastination cyber attackers count on.
  7. Backup data frequently, then test those backups. You want to know that a data restore action actually works. If it doesn’t, rethink your backup strategy.

Your best bet to combat phishing attacks? Workforce awareness. Much of the privacy and security training we provide is geared toward helping your workforce recognize phishing attacks, learn how everyday activities can compromise information security, and realize how their particular job function relates to overall cybersecurity, no matter what the position is.

Resource: OS OCR SecurityList, February 2018 Cybersecurity Newsletter: Phishing



WiFi Vulnerability & the KRACK Infiltration: Tips from Techs

By now, you’ve heard of the KRACK WPA2 infiltration of WiFi. Basically, a vulnerability in the WPA2, the standard for most WiFi communications between your mobile phone, computer and anything else that connects to a wireless access point, is a wide-open door for cyber attackers. When a cyber attacker exploits the WiFi vulnerability, they can intercept any device using the WiFi network. It affects everyone.

This kind of widespread WiFi vulnerability serves as a good reminder that we need to be especially careful using public WiFi, like that at your local coffee shop, or when traveling – at airports, hotels. As our virtual CIO / IT vendor recommends, “If you can use a Virtual Private Network (VPN) vs public WiFi, that’s a better option to help secure your communications.”

Over the weekend, we received several communiques from various IT vendors with whom we work.  A partner of ours, Convergence Networks, forwarded a great eletter to me that shared the following excellent tips.

Who does the KRACK infiltration affect?

If you use WPA2 encryption to secure your WiFi communications (and you likely do), you’re probably affected. That said, Android devices are the most widely exploited.

Does this mean someone can get my Wi-Fi password?

No. The WiFi vulnerability could allow an attacker to intercept Wi-Fi communications between a device and a wireless access point, but doesn’t compromise your Wi-Fi password.

How is the KRACK vulnerability being fixed?

Vendors are working on or have already released patches to fix the vulnerability:

  • Microsoft has released patches for supported Windows operating systems (Windows 7 and higher).
  • Apple is working on a patch for MacOS and iOS devices, expected to be released in November.
  • Android vendors manage their own patching schedules. Google Pixel devices will receive updates by November 6. Other Android vendors are expected to release patches later.
  • Fortinet firewall and wireless access point vendor has shown very limited exposure to this attack, but vendors are gathering information on any devices affected.
  • Cisco has already released a patch for its Meraki wireless access points.

What should I do?

If you have an IT vendor for your information systems support, check with them on their patch schedule for Windows systems. They should automatically patch during the next maintenance window if not sooner.

As an individual, it’s strongly recommended that you immediately apply software and security updates to your mobile devices – particularly Android devices. Do so as soon as you’re notified that an update is available – don’t swipe the notification away!

For businesses using off-the-shelf consumer level WiFi like Linksys or Netgear, look into business-class wireless. You’ll get better timing on security updates.

Home-based WiFi? Call your ISP provider or the company that makes your wireless access point (router, firewall, etc.) to see when they are updating the firmware.

This is an excellent time to be sure that your wireless devices are updated, too. If your devices are so old that there’s no fix available, it’s time to part ways.

Particularly check your IoT devices – don’t forget wireless home security cameras!

Should I not use WiFi?

Good question. Convergence Networks had this advice: “While the KRACK WiFi vulnerability is serious, it requires an attacker to be in range of your wireless device to execute it, it requires time, and is not yet an easy vulnerability to exploit. While the vulnerability affects most Wi-Fi devices, the overall risk to a device is not high, and in most cases Wi-Fi can still be safely used. If you’re an Android user, consider disabling Wi-Fi on the device, limiting connectivity to cellular service, until the November patch has been applied to your device.”

Using the Cloud to Store & Share Files? It may be time for another Security Risk Analysis.

We’ve been working with a number of clients lately who are trying to wrap their arms – and IT policies – around cloud computing and file sharing. You may remember last year when OHSU was fined $2.7 million for “widespread HIPAA vulnerabilities.” Well, part of those vulnerabilities came about because of improper use of cloud-based file sharing services.

Healthcare organizations or not, use of cloud computing to store or share sensitive information comes with risks. OCR regularly reminds covered entities and their business associates of the potential risks, as well as how to use them yet remain in compliance.

Often, human error is at the root of the breaches. All electronically based protections, firewalls, anti-malware programs and so forth may be in order, but one person accessing information without authorization skews everything. Flawed setup of services is another risk, and one usually not detected until it’s too late.

We like to start with the security risk analysis to detect any potential service misconfiguration or un-needful access of sensitive data. The security risk analysis, when combined with IT vulnerability scans, penetration tests and mock phishing exercises, helps organizations identify and address security gaps like missed security patches and software that’s out of date, as well as detecting the most likely potential for human error. (Of course, the security risk analysis is also a HIPAA Rules requirement – but you knew that.)

Check that you’re in compliance with OCR Guidance on cloud computing, particularly around storing ePHI in the cloud, the proper policies and procedures, and the appropriate Business Associate Agreements.

Remember: Cloud computing and file sharing isn’t prohibited by OCR, but you must have appropriate measures in place to secure sensitive data and assure compliance. If you’re not sure whether your use of the services is secure, or your security risk analysis is up to date, then stop and call us!

Our HIPAA privacy, information security, HITECH and regulatory compliance consulting services support the health care industry and the vendors that work with them. We work across industry sectors to help businesses prepare for ISO, SOC II and HITRUST certifications, as well. You can reach Apgar & Associates at 877-376-1981.