Author: Chris Bowen
Chief Privacy and Security Officer and Founder, CISSP, CIPP/US, CIPT
The Department of Health and Human Services recently issued its Guidance on HIPAA and Cloud Computing.
Let me boil it down for you:
- The Cloud Service Provider (CSP) is a business associate under HIPAA.
- When a business associate subcontracts with a CSP like Amazon Web Services, to create, receive, maintain, or transmit electronic protected
- health information (ePHI) on its behalf, the CSP subcontractor itself is a business associate.
- This is true even if the CSP processes or stores only encrypted ePHI and lacks an encryption key for the data.
- Covered Entities and CSPs must enter appropriate Business Associate Agreements (BAAs).
- Cloud Service Providers who sign BAAs with Covered Entities are directly liable for compliance with the applicable requirements of the HIPAA Rules.
The guidance provides answers to the following questions:
May a HIPAA covered entity or business associate use a cloud service to store or process ePHI?
- HHS says yes. ClearDATA was formed for this very purpose; to provide healthcare-focused cloud and security solutions specifically for environments that create, process, store, or interact with ePHI.
If a CSP stores only encrypted ePHI and does not have a decryption key, is it a HIPAA business associate?
- HHS says yes, because the CSP receives and maintains ePHI for a covered entity or another business associate. Lacking an encryption key for the encrypted data it receives and maintains does not exempt a CSP from business associate status and associated obligations under the HIPAA Rules.
Can a CSP be considered a “conduit” like the postal service, and, therefore, not a business associate that must comply with the HIPAA Rules?
- HHS says generally, no. CSPs that provide cloud services to a covered entity or business associate that involve creating, receiving, or maintaining ePHI meet the definition of a business associate, even if the CSP cannot view the ePHI because it is encrypted and the CSP does not have the decryption key.
Which CSPs offer HIPAA-compliant cloud services?
- OCR does not endorse, certify, or recommend specific technology or products. ClearDATA does offer HIPAA, HITECH and HITRUST compliant services to the healthcare industry.
What if a HIPAA covered entity (or business associate) uses a CSP to maintain ePHI without first executing a business associate agreement with that CSP?
- HHS states the covered entity (or business associate) would be considered in violation of the HIPAA Rules.
If a CSP experiences a security incident involving a HIPAA covered entity/business associate’s ePHI, must it report the incident to the covered entity or business associate?
- HHS unequivocally says yes. A business associate CSP must implement policies and procedures to address and document security incidents, and must report security incidents to its covered entity or business associate customer. In addition, the Breach Notification Rule specifies the content, timing, and other requirements for a business associate to report incidents that rise to the level of a breach of unsecured PHI to the covered entity (or business associate) on whose behalf the business associate is maintaining the PHI.
Do the HIPAA Rules allow healthcare providers to use mobile devices to access ePHI in a cloud?
- HHS says yes, as long as appropriate physical, administrative, and technical safeguards are in place to protect the confidentiality, integrity, and availability of the ePHI on the mobile device and in the cloud, and appropriate BAAs are in place with any 3rd party service providers for the device and/or the cloud that will have access to the e-PHI.
Do the HIPAA Rules require a CSP to maintain ePHI for some period of time beyond when it has finished providing services to a covered entity or business associate?
- HHS says no. The Privacy Rule provides that a business associate agreement (BAA) must require a business associate to return or destroy all PHI at the termination of the BAA where feasible. Where not feasible the BAA must extend the privacy and security protections of the BAA to the ePHI and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible.
Do the HIPAA Rules allow a covered entity or business associate to use a CSP that stores ePHI on servers outside of the United States?
- HHS says yes, as long as the covered entity (or business associate) enters into a BAA with the CSP and otherwise complies with the applicable requirements of the HIPAA Rules.
Do the HIPAA Rules require CSPs that are business associates to provide documentation, or allow auditing, of their security practices by their customers who are covered entities or business associates?
- HHS says no. Assurances can come in the form of a business associate agreement (BAA) with the CSP that the CSP will safeguard the PHI that it creates, receives, maintains or transmits for the covered entity or business associate. Customers may require from a CSP (through the BAA, service level agreement, or other documentation) additional assurances of protections for the PHI, such as documentation of safeguards or audits, based on their own risk analysis and risk management or other compliance activities.
If a CSP receives and maintains only information that has been de-identified in accordance with the HIPAA Privacy Rule, is it a business associate?
- HHS says no. A CSP is not a business associate if it receives and maintains only de-identified data following the processes required by the Privacy Rule.