Last week, the Department of Health and Human Services’ Office for Civil Rights (OCR) provided guidance for HIPAA covered entities and business associates that use or want to use cloud computing services involving protected health information (PHI). Covered entities and business associates seeking cloud services often have many concerns regarding HIPAA compliance, and this guidance helps to address some of those concerns. The guidance also will help cloud service providers (CSPs) understand some of their obligations when serving the vast health care sector. Frankly, this guidance is helpful for any entity that desires to use cloud services to store, transfer or otherwise process sensitive information, including personal information. We summarized some of the key points in the guidance below.
CSPs that only store PHI and provide “no-view” services are not subject to HIPAA, right?
Wrong. OCR reminds everyone that when a covered entity engages a CSP to create, receive, maintain, store or transmit ePHI, on its behalf, the CSP is a business associate under HIPAA. Likewise, when a business associate subcontracts with a CSP for similar services, the CSP is a business associate.
Practically, however, with regard to no-view services, CSPs and their HIPAA-covered customers can take advantage of the flexibility and scalability built into the HIPAA rules. OCR’s guidance points out that when a CSP is providing only no-view services, certain Security Rule requirements may be satisfied for both parties through the actions of one of the parties. For example, certain access controls, such as unique user identification, may be the responsibility of the customer (when the customer has sole access to ePHI), while others, such as encryption, may be the responsibility of the CSP. Thus, the parties will have to review these issues carefully and modify the agreements accordingly.
Is this true even if the CSP processes or stores only encrypted ePHI and lacks an encryption key for the data?
Yes. Accordingly, the covered entity (or business associate) and the CSP must enter into a HIPAA-compliant business associate agreement (BAA), and the CSP is both contractually liable under the BAA and directly liable for compliance with the applicable requirements of the HIPAA Rules. Note that the absence of a BAA does not change that the CSP is a business associate subject to the applicable requirements under the rules, but the HIPAA covered entity would not have contractual protection, such as breach of contract claims and indemnity.
For entities not covered by HIPAA, you may have other legal obligations that apply when you decide to share certain information with a CSP. For example, rules in California and Massachusetts generally require businesses to obtain written agreements from third parties to safeguard the personal information they maintain for the business to perform the desired services.
So, if we use a CSP, we only have to worry about having a BAA in place?
Probably not. Use of cloud services likely will require the covered entity or business associate to perform a risk assessment to understand how those services will affect overall HIPAA compliance. Some of those compliance issues will be addressed in the BAA. However, contracting with a CSP often involves a “Service Level Agreement” or “SLA” which can raise other HIPAA compliance issues. For example, specific SLA provisions concerning system availability or back-up and data recovery may not be permissible under HIPAA. Entities not covered by HIPAA have similar needs to ensure that the cloud services will meet their needs with respect to these and other issues, such as return of data following termination of the SLA.
If data is encrypted in the cloud, is HIPAA satisfied?
No. Strong encryption reduces risk to PHI for sure, but does not maintain its integrity and availability. That is, for example, encryption does not ensure that ePHI is not corrupted by malware, or that it will remain available to authorized persons during emergency situations. Further, encryption does not address other administrative and physical safeguards. For example, even when the parties have agreed that the customer is responsible for authenticating access to ePHI, the CSP may still need to implement appropriate internal controls to assure only authorized access to administrative tools that manage resources (e.g., storage, memory, network interfaces, CPUs). The SLA and the BAA are important vehicles for confirming which entity is responsible for these requirements.
Can CSPs block our access to PHI?
No. Blocking a covered entity’s access to PHI would violate the Privacy Rule. Thus, for example, an SLA cannot contain a provision that allows the CSP to block access to ePHI to resolve a payment dispute. Note this may not be the case with arrangements not covered by HIPAA. Accordingly, owners of the data in these situations need to proceed with care when negotiating and disputing payment under come SLAs.
Do CSPs have to report “pings” and others unsuccessful security incidents?
In general, the answer is yes. Security Rule § 164.314(a)(2)(i)(C) provides that a BAA must require the business associate to report any security incidents of which it becomes aware. A security incident means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. However, the Security Rule is flexible and does not prescribe the level of detail, frequency, or format of reports of security incidents, which may be worked out in the BAA. Thus, the parties should consider different levels of detail, frequency, and formatting of reports based on the nature of the security incidents.
Does HIPAA permit PHI to be stored in the cloud outside of the United States?
In short, the answer is yes. But, as noted above, the covered entity or business associate needs to consider the applicable risks.
Cloud services can yield substantial cost savings and offer substantial convenience to users. CSPs also tend to offer a higher level of sophistication in the area of data security than most health care providers and their service providers. But the failure to think carefully about adoption and implementation of these services can create substantial exposure for the company. Significant exposure can result not only from a breach of PHI in the cloud environment, but also from the failure to appropriately consider and document the risks relating to that environment.