On October 6, 2016, the Department of Health and Human Services Office for Civil Rights (“OCR”) issued guidance on complying with HIPAA privacy, security, and breach notification rules when using cloud computing technology (i.e., on-demand internet access to computing). As the prevalence of the use of cloud computing solutions has grown, so have questions around how HIPAA-covered entities and business associates can stay compliant. According to the OCR, it has released this guidance and related answers to frequently-asked-questions (“FAQs”) in order to assist both HIPAA-covered entities and cloud service providers (“CSPs”) in understanding their HIPAA obligations.
The guidance covers basic yet important topics, including affirming that covered entities and business associates may engage CSPs to store or process electronic protected health information (“ePHI”), and may only do so under a HIPAA-compliant business associate agreement. OCR has also used the guidance to clarify some aspects of HIPAA’s application to CSPs.
Encryption. Significantly, OCR clarifies in the guidance that a CSP storing or maintaining ePHI on behalf of a covered entity or business associate is itself a business associate even if the ePHI is encrypted and the CSP lacks the encryption key for the data, thereby providing what OCR refers to as “no-view” services to covered entities or business associates. OCR cautions in the guidance that although encryption may significantly reduce the risk of ePHI being viewed by unauthorized person, encryption does not maintain the integrity and availability of ePHI, such as by ensuring that information is not corrupted by malware or ensuring through contingency planning that the data remains available to authorized persons during emergency situations.
Use of Mobile Devices. The guidance affirms that health care providers, other covered entities and business associates may use mobile devices to access ePHI in a cloud so long as appropriate safeguards are implemented on the mobile device and in the cloud. OCR referred in this regard to previously published guidance on the use of mobile devices.
Reporting of Security and Breach Incidents. The guidance also states that CSPs – like other business associates – must report security incidents involving ePHI. The guidance highlights the definition of a “security incident” under 45 C.F.R. § 164.304 as “the attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in an information system.” For security incidents, according to OCR, the HIPAA Security Rule is flexible and does not prescribe the level of detail, frequency or formatting of reports. Accordingly, the parties may agree to varying levels of reporting based on the nature and extent of a security incident. In contrast, OCR notes, the Breach Notification Rule does specify the content, timing, and other information required to be reported about a breach. According to OCR, a business associate agreement may impose more stringent reporting requirements, so long as the terms of the business associate agreement still meet the Breach Notification Rule’s reporting requirements.
Storage of ePHI Outside the U.S. OCR took the opportunity in the guidance to note that the HIPAA Rules do not prohibit CSPs from storing ePHI on servers located outside the United States, although, according to OCR, outsourcing storage or other services for ePHI may increase the risks and vulnerabilities to the ePHI.
Additional topics covered in the guidance include the appropriate time at which a CSP may return and/or destroy ePHI once its relationship with a covered entity or business associate has ended and auditing of CSPs.
