HIPAA / HITECH Encryption: Is Cloud-Based AlertBoot Disk Encryption A Business Associate Under HIPAA Rules?.
Healthcare organizations and other HIPAA covered entities are concerned about cloud-based services. As they should be: under HIPAA, covered entities are responsible for the security of ePHI (electronic protected health information); so, when a Business Associate (BA) causes a data breach, the covered entity is the one who’s investigated by the HHS Office of Civil Rights, and possibly fined…up to $1.5 million!
According to an article at workplaceprivacyreport.com, many cloud vendors are taking the position that they are not business associates. Rather, they argue, “they are conduits to [PHI]” like the US Postal Service, which temporarily holds PHI while it’s being delivered from one place to another.
The chief privacy officer at the Office of the National Coordinator for Health IT, however, says that,
HHS has already noted that “a software company that hosts the software containing patient information on its own server or accesses patient information when troubleshooting the software function, is a business associate of a covered entity.”
Furthermore, HITECH has apparently made it clear that cloud service providers are BAs.
AlertBoot is Not a BA. It’s not a Conduit, Either.
AlertBoot’s unique cloud-based disk encryption software service cannot claim to be a conduit. However, labeling it a Business Associate would also be erroneous because the AlertBoot cloud-based endpoint encryption service does not handle PHI.
Certainly, AlertBoot disk encryption secures a laptop’s contents with strong AES-256 encryption; however, that content is never sent to the AlertBoot cloud. The information that is exchanged between a secured endpoint (either a laptop or a desktop computer) and AlertBoot’s cloud is unrelated to health (patient information) nor is it an employment record.
There are certain identifiers that we store, yes: names, passwords (encrypted), email addresses, encryption keys (also encrypted), etc. However, none of these are considered PHI in this particular case: understanding what PHI is and isn’t (some definitions here as well) might help clear up any preliminary concerns.
Related Articles and Sites: