Guidance on HIPAA & cloud computing; Senators question FTC enforcement standards

HHS publishes guidance on HIPAA’s impact on cloud computing

This week, the Department of Health and Human Services issued guidance for HIPAA-covered entities and business associates regarding cloud computing.  When a covered entity seeks to use cloud services in connection with the use and/or storage of electronic personal health information (“ePHI”), the cloud services provider (“CSP”) is a business associate of the covered entity and must enter into a HIPAA complaint business associate agreement. Thus, the HHS publication aims to “assist HIPAA regulated CSPs and their customers in understanding their responsibilities under the HIPAA Rules when they create, receive, maintain or transmit ePHI using cloud products and services.” Given both the ever-increasing use of cloud services and an increased focus on data security, this is necessary reading for providers and other covered entities to ensure they remain compliant with their HIPAA obligations.

For more on this release, see our recent client alert.

Senators question FTC enforcement standards

A pair of senators sent a letter to FTC Chairwoman Ramirez questioning both the agency’s LabMD decision and whether FTC’s enforcement regime complies with constitutional due process requirements.  The letter was authored by Sen. Jeff Flake, chair of the Subcommittee on Privacy, Technology, and the Law, and Sen. Michael Lee, chair of the Subcommittee on Antitrust, Competition and Consumer Rights.  Relying on a recent Third Circuit decision’s discussion of fair notice in the cybersecurity space, the senators questioned how the FTC’s enforcement practices afford fair notice on cybersecurity standards; how the disclosure of health information constitutes cognizable injury; and whether the FTC has provided guidance on the cost-benefit analysis discussed by the Third Circuit.  Some of these questions may be addressed by LabMD’s recent appeal to the Eleventh Circuit.  We may continue to see increased attention on the FTC’s role in cybersecurity enforcement, from both the judiciary and the legislature, in the coming months.