As cloud computing services reach widespread usage, questions about what exactly constitutes HIPAA covered entities (CE’s) and business associates (BA’s) arise, along with how those entities can take advantage of cloud computing while complying with regulations protecting the privacy and security of electronic protected health information (ePHI). This article will provide guidelines taken from the HHS.gov website for such entities, including cloud services providers (CSPs), towards better understanding of the OCR’s (Office for Civil Rights) HIPAA regulations. The subsequent information should provide a better understanding on things like how covered entities (CE’s) and business associates (BA’s) under HIPAA compliance regulation should be operating when it comes to storing and disseminating patient information in the cloud.
Can a HIPAA covered entity or Business Associate use cloud services to store or process electronically protected health information (ePHI)?
Yes, provided the covered entity or business associate enters into a business associate agreement (BAA) or contract that is HIPAA-compliant with the cloud services provider who will be creating, receiving, maintaining, or transmitting ePHI on its behalf. The contract will also bind the CSP to comply with HIPAA rules. The BAA establishes a code of conduct that both governs the required uses and disclosures of ePHI by the BA, and also requires the BA to safeguard the ePHI appropriately, with strict adherence to Security Rule requirements.
If a CSP stores only encrypted ePHI and has no decryption key, does it still qualify as a HIPAA business associate?
Yes, because the CSP receives and maintains (i.e., processes and/or stores) ePHI on behalf of a covered entity or another BA. Having no encryption key for the encrypted data it receives and maintains does not exempt a CSP from BA status and the related obligations under HIPAA Rules. Any entity that maintains ePHI as proxy for a covered entity (or another business associate) is a BA, even if the entity cannot actually view the ePHI. Thus, a CSP that maintains encrypted ePHI on behalf of a covered entity (or another business associate) is, by definition, a business associate, even if it does not hold a decryption key and therefore cannot view the information. For convenience purposes this guidance uses the term “no-view services” to describe the scenario in which the cloud service provider maintains encrypted ePHI on behalf of a covered entity (or another business associate) without having access to the decryption key.
Can a CSP be considered as a “conduit” like the postal service, and, therefore, not a BA that must comply with the HIPAA Rules?
Generally, no. CSPs that provide cloud services to a covered entity or business associate that involve creating, receiving, or maintaining ePHI meet the definition of a business associate, even if the CSP cannot view the ePHI because it is encrypted and the CSP does not have the decryption key.
Which CSPs offer HIPAA-compliant cloud services?
The OCR does not endorse or recommend specific technology or products.
What if a HIPAA covered entity (CE) or business associate (BA) uses a CSP to maintain electronic protected health information without first executing a business associate agreement (BAA) with that CSP?
If a covered entity (or business associate) uses a CSP to maintain (i.e., process or store) ePHI without first entering into a business associate agreement with the CSP, the CE (or BA) is in violation of the HIPAA Rules 45 C.F.R §§164.308(b)(1) and §164.502(e). The OCR has entered into a resolution agreement and corrective action plan with a covered entity that the OCR determined used a cloud-based server to store the ePHI of over 3,000 individuals without entering into a BAA with the CSP. Any CSP that becomes aware that it is maintaining ePHI must come into compliance with the HIPAA Rules or securely return the ePHI to the customer; or, if agreed to by the customer, securely destroy the ePHI. Once the CSP securely returns or destroys the ePHI (subject to arrangement with the customer), it is no longer a BA. It is recommended that CSPs document these actions.
And, while a CSP maintains ePHI, the HIPAA Rules prohibit the CSP from using or disclosing the data in a manner that is inconsistent with the Rules.
If a CSP experiences a security incident involving a HIPAA covered entity’s or business associate’s ePHI, is it required to report the incident to the CE or BA?
Yes, in all cases. The Security Rule at 45 CFR § 164.308(a)(6)(ii) requires BA’s to identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the business associate; as well as document security incidents and their outcomes.
HIPAA Cloud Computing Rules: Some Additional Q & A
Q: Are health care providers allowed to use mobile devices to access ePHI in the cloud under HIPAA rules?
A: Yes, provided the appropriate administrative safeguards are in place, along with signed BAA’s.
Q: Do HIPAA Rules require a CSP to maintain ePHI beyond the time period it has contracted for with a given BA or CE?
A: No. The Privacy Rule provides for the return or destruction of the ePHI where feasible at the termination of a BAA.
Q: Do the HIPAA Rules allow a covered entity or business associate to use a CSP that stores ePHI on servers outside of the United States?
A: Yes, provided the covered entity (or business associate) enters into a business associate agreement (BAA) with the CSP and otherwise complies with the applicable requirements of the HIPAA Rules.
Q: If a CSP receives and maintains only information that has been de-identified in accordance with the HIPAA Privacy Rule, is it a BA?
A: No.
Covered entities and business associates seeking information about types of cloud computing services and technical arrangement options should consult the National Institute of Standards and Technology: SP 800-145, The NIST Definition of Cloud Computing – PDF.
For More Advice on HIPAA Compliance and Cloud Computing
If you need further guidance on HIPAA rules and the cloud, you can speak to an IT specialist about cloud computing and HIPAA compliance rules at Alvarez Technology Group, which is a proven leader in providing IT consulting and cloud services in Salinas. Contact an IT expert at (831) 753-7677 or send us an email at [email protected] today, and we can help you with all your questions or needs.