One of my go-to HIPAA law resources is attorney Jeff Drummond. He and I often disagree on politics, but I will always consider what he says This week, I found myself seriously disagreeing with one of Jeff’s blog posts.
Unless you’ve been living under a rock this week, you already know about the brouhaha when Facebook and Twitter permanently suspended President Trump’s accounts, and then the Google Play and App Store removed Parler from their offerings, and then Amazon AWS cancelled Parler’s hosting contract with them.
Jeff, who had found Parler to be a more welcoming platform for conservatives than Twitter, writes:
AWS has made a subjective value-based judgment that Parler is dangerous and should be shut down, because Parler is used by people that AWS deems to be dangerous. AWS has shut a large customer out of its operations because AWS does not approve of the customer’s customers.
Jeff frames it as not approving of people, but the action was on the basis of behavior — posts — that endanger the safety of others and public safety. But we’ll get back to it.
Jeff then tries to build a case that Amazon AWS terminating its contract with Parler means that HIPAA covered entities and business associates that use Amazon AWS are also at risk of similar abrupt cancellation by Amazon AWS.
Step by “it’s not a stretch to” step, Jeff tries to build the case that what Amazon AWS did is so concerning that HIPAA covered entities and business associates may be out of compliance with HIPAA if they use Amazon AWS.
I know Jeff is mad at them, but his argument is more of a stretch than me trying to get back into my workout clothes after gaining tons of weight in the past few months. And that’s a pretty significant stretch, unfortunately.
He writes:
There’s no avoiding the obvious conclusion here: if you use AWS cloud services, you run the risk of AWS shutting you out of operations if AWS decides it does not like the patients or beneficiaries you serve.
Thus, as a HIPAA covered entity, you fail to ensure “availability” of PHI if you use AWS. HIPAA requires you to have reasonable safeguards to protect availability of PHI; if you are hosted by AWS and get shut out, your PHI is not longer available; it’s not reasonable to not protect against that possibility.
Final result: using AWS may be a violation of HIPAA, because it an unreasonable risk to availability.
Those are pretty astonishing claims, so I looked into Amazon’s actions with respect to Parler. Had they done what Jeff accused them of?
What I found is that Amazon AWS had contacted Parler in the weeks before it took action to point out concerning content on Parler that posed a public safety threat or that promoted violence. Amazon AWS submitted approximately 100 posts to them over a period of weeks to ask Parler what it was doing about them. Parler allegedly not only did not deal promptly with the approximately 100 examples Amazon AWS provided to Parler, but at one point, Parler’s CEO allegedly admitted that they had a backlog of about 26,000 posts to consider, and that their approach at that point involved using “volunteers” to deal with problematic content complaints. All of this is described in a brief Amazon AWS filed in opposition to a motion by Parler for a TRO.
After January 6, Amazon AWS sent Parler additional posts that were concerning because they advocated assassination of specific people or other violence. Again, Amazon AWS asked Parler for its plan to eliminate the problematic content from its platform. When Parler didn’t handle the content threatening violence, Amazon enforced the terms of contract. Their contract
makes clear that AWS may suspend or terminate an account “immediately” upon notice if AWS determines that an end user’s use of the services “poses a security risk to the Service Offerings or any third party,” or otherwise breaches the Agreement.
Threatening to kill named people or plotting with others to harm them would seem to pose a security risk to a third party, wouldn’t it?
Amazon AWS did not suspend or terminate Parler immediately, but only after repeated inquiries to Parler with examples of problematic content. And the problems were allegedly increasing, not decreasing. If you are wondering about the content that Amazon AWS called attention to, it included items like these:
-
- “Fry’em up. The whole fkn crew. #pelosi #aoc #thesquad #soros #gates#chuckschumer #hrc #obama #adamschiff #blm #antifa we are coming for you andyou will know it.”
- “Shoot the police that protect these shitbag senators right in the head then make thesenator grovel a bit before capping they ass.”
-
- “This bitch [Stacey Abrams] will be good target practice for our beginners.”
- This cu** [United States Secretary of Transportation Elaine Chao] should be…
hung for betraying their country.”
(The above are either in the Amazon AWS brief filed in court or provided to PogoWasRight.org by an Amazon AWS spokesperson).
Now Jeff will probably and correctly point out that there are likely many people on Parler who did not issue threats of violence or endanger public safety, and I would likely agree with him. But I also agree that Amazon AWS has the right to enforce their agreement and they shouldn’t have to host such objectionable and dangerous content. Would Jeff demand they host child pornography or snuff films too if an AWS customer didn’t deal with those kinds of problematic content? After all, it’s not a stretch to take his argument to that level, right?
In his post, Jeff claimed that Amazon AWS locked Parler out of their data as if Parler lost their data because of Amazon AWS’s actions. That is not true, either. On January 9, 2021, after Parler continued to fail to deal with violent content and in light of an increasing number of violent posts, AWS notified Parler it would suspend its account effective 11:59 p.m. January 10. Amazon AWS’s statements to Parler allegedly confirmed that AWS would
“ensure that all of your data is preserved for you to migrate to your own servers, and will work with you as best we can to help your migration.”
That’s a far cry from Jeff’s claim that AWS “locked Parler out of its data.” They preserved the data and offered to help with migration of it.
Jeff clearly doesn’t like what Amazon AWS did to a platform he favored, but to suggest that HIPAA covered entities should reconsider using Amazon AWS because they enforced a contract with Parler makes me wonder if he is really advising his firm’s clients this way.
“It’s not a far stretch,” Jeff writes, “to think that a healthcare system in a red state would be at risk of being shut out of AWS, because its patients are the types of people AWS associates with Parler.”
What would these patients be doing on AWS’s service that would violate the agreement between a covered entity or business associate and Amazon AWS? I am hard-pressed to think of any scenario where AWS would suspend a healthcare system’s contract or terminate it because of something patients might do. Are covered entities letting patients post on the hospital’s web site that they want to kill or assassinate people? What objectionable content would Amazon AWS claim violates its agreement?
Jeff continues:
It’s certainly not a stretch to think that AWS could shut down cloud access to a health plan for a gun manufacturer. Oil companies, Catholic charities, beef farmers, anyone not liberal is at risk.
“Oh, come on,” you say, “these are odious people on Parler, all good people would agree they are terrible folks and deserve to be shunned.” Well, wait until it happens to you. Once your vendors start making value judgments (and “picking sides,” which is what they’re doing), all bets are off.
And that’s where Jeff’s failure to distinguish between making judgments about people and judgments about violent content results in his argument failing. There should be no sides when it comes to threats of violence or planning violence. It is one thing to plan a protest, it is another to plan to bring plastic handcuffs or to seek out people to terrorize them or physically harm them.
There’s no avoiding the obvious conclusion here: if you use AWS cloud services, you run the risk of AWS shutting you out of operations if AWS decides it does not like the patients or beneficiaries you serve.
No, you run the risk that you always run — that if you violate the terms of contract, the entity may enforce or terminate the contract.
Thus, as a HIPAA covered entity, you fail to ensure “availability” of PHI if you use AWS.
HIPAA requires you to have reasonable safeguards to protect availability of PHI; if you are hosted by AWS and get shut out, your PHI is not longer available; it’s not reasonable to not protect against that possibility.
By the way, isn’t that what backups are for? And didn’t AWS offer to help its now-former customer to migrate to their new host?
Final result: using AWS may be a violation of HIPAA, because it an unreasonable risk to availability.
Is Jeff going to lay this all out to HHS to see their opinion? I will be surprised if he does.
It’s okay for Jeff to be angry at Amazon AWS or disappointed with them. It’s okay to disagree strongly with Amazon AWS’s decision. I am a bit surprised, though, because since he is a lawyer, I would expect Jeff to defend a business’s right to enforce its terms.
But for him to try to argue that using Amazon AWS may mean an entity is out of compliance with HIPAA is just a stretch waaaaay too far. Indeed, I think it would be a shame if people actually used less secure and less reliable hosts for data because Jeff has scared them. I think there are concerns that can be raised about using cloud services and AWS, but not the issues he has raised.
Or is Jeff’s post just a coded message to tell people to boycott Amazon AWS for political reasons? If so, just call for a boycott for political reasons. But to claim that this raises a genuine HIPAA compliance concern? Nope, I don’t buy it.