Cloud service providers that process electronic protected health information (ePHI) are business associates under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), even if the PHI is encrypted and the cloud service provider is not able to view it. This unequivocal determination, made in recent guidance by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) on HIPAA and Cloud Computing, puts an end to continued speculation on this subject.
The guidance clarifies that a cloud service provider (CSP) that creates, receives, maintains, or transmits ePHI on behalf of a HIPAA-covered entity or as a subcontractor for a covered entity's business associate is itself a business associate under HIPAA. Thus, HHS states that the relationship between the CSP and its customer must be governed by a business associate agreement (BAA) in order to comply with the regulations implementing HIPAA (HIPAA Rules). The CSP is directly required to comply with the privacy and data security obligations set forth in the HIPAA Rules.
A CSP constitutes a business associate, even if the CSP cannot view the ePHI because it is encrypted and lacks the decryption key. This is referred to as a "no view" service. Therefore, HHS states that even covered entities or business associates that engage CSPs that provide a "no view" service must enter into a HIPAA-compliant BAA with the CSPs.
If a covered entity or business associate determines that a BAA is required for a preexisting CSP relationship, it should rectify the situation by promptly entering into a BAA.
CSPs must comply with HIPAA obligations. These include:
Breach notification. A CSP is directly liable under HIPAA if it uses or discloses PHI in a manner not authorized by its contract, required by law, or permitted under HIPAA. Under the HIPAA Rules, the CSP must notify its customer if it discovers a breach of unsecured PHI.
Availability. A CSP must ensure that ePHI is not corrupted by malware and that ePHI remains available in disaster situations. It also must make the PHI available to the customer so that the customer would be able to provide its customers with the ability to access and amend their information.
Destruction of PHI. A CSP must return or destroy any PHI in their possession at the end of the effective term of a BAA, where feasible.
While CSPs providing "no view" services are also directly liable for meeting the terms of the BAA and directly liable for compliance with applicable HIPAA requirements, in practice their compliance with the HIPAA requirements may necessitate fewer actions that that of CSP that have access to the information. For example, a "no view" CSP must formally comply with Breach Notification Rule. However, if the affected ePHI it is processing is encrypted according to HHS standards, the incident may fall within a "safe harbor" and the CSP would not be required to report the incident to its customer.
However, encryption does not meet all requirements of the HIPAA security rule and CSPs must implement other measures such as administrative safeguards to maintain the confidentiality of ePHI and physical safeguards for systems and servers that house the ePHI.
The OCR has already engaged in enforcement actions relating to CSPs providing services without a BAA. In the case of Oregon Health & Science University (OHSU), the OCR entered into a settlement which a monetary payment by OHSU to the Department for $2.7 million. Among the HIPAA violations included in the settlement was the storage of the ePHI of more than 3,000 individuals on a cloud-based server without a business associate agreement.
Entities working with CSPs or who are looking to engage CSPs should:
Understand the cloud computing environment or solution offered by a particular CSP;
Conduct their own analysis to identify and assess potential threats and vulnerabilities to the confidentiality, integrity, and availability of all ePHI they create;
Conduct a risk assessment to ensure that the CSPs are capable of protecting the PHI entrusted to them in a manner compliant with HIPAA; and
Set out contractual provisions obligating the CSP to abide by these protective measures in a BAA and/or in a separate cloud services agreement.