The Department of Health and Human Services Office for Civil Rights (OCR) issued long-anticipated guidance to help covered entities and their business associates — including cloud service providers (CSPs) — comply with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.

Generally, OCR clarifies that a CSP is considered a business associate and therefore regulated under HIPAA when a covered entity or its business associate engages that CSP to create, receive, maintain or transmit electronic protected health information (ePHI) on its behalf, even if the CSP does not have an encryption key and cannot actually view the ePHI.

For these “no-view services,” OCR has determined that encryption and inability to access are insufficient measures to address all of the security concerns under the HIPAA Security Rule. Indeed, the other key considerations — integrity and availability — are directly relevant to CSPs, regardless of their ability to access the ePHI they maintain. Squarely addressing the justification that many CSPs used to assert that they should not be considered business associates, OCR expressly states that the “conduit” exception does not apply to CSPs, as it is available only for PHI that is “transient” in nature. Thus, for these key reasons, CSPs are considered business associates and are subject to direct liability under HIPAA.

A CSP must meet applicable HIPAA requirements, such as proper internal controls and breach response procedures. This also means that there must be a HIPAA-compliant business associate agreement (BAA) in place covering the arrangement. Consistent with this, OCR previously entered into a settlement agreement with a covered entity for $2.7 million and a corrective action plan because the covered entity stored ePHI on a cloud-based server without entering into an appropriate BAA.

OCR issued other specific points of guidance with respect to cloud computing, including the following:

  • Covered entities and business associates who engage CSPs must generally understand the cloud software in order to properly conduct their own risk analyses and develop their own risk-management policies required under HIPAA.
  • The parties should be sure that the service agreement between a covered entity or business associate and a CSP is consistent with the BAA and HIPAA. For example, the service agreement should not prevent the covered entity or business associate from accessing its ePHI.
  • Security Rule requirements may be appropriately satisfied by one party with respect to no-view services. For example, the covered entity may be responsible for authentication and user identification, while encryption is the responsibility of the CSP.
  • Covered entities and business associates may use mobile devices to access ePHI in a cloud as long as security requirements are followed and there is a BAA in place with any third-party service providers that will have access to the ePHI.
  • Using a CSP that stores ePHI on services outside of the United States is not prohibited, but OCR urges caution given the increased risks to ePHI depending on the geographic location and issues of enforcement.
  • For CSPs, the affirmative defense of taking corrective action to correct noncompliance within 30 days does not apply to “willful neglect.” Therefore, CSPs likely have an affirmative duty to inquire about the nature of data stored on their systems or clearly warn users that they may not store ePHI within the CSP’s systems.
  • Covered entities and business associates are not required to audit CSPs, but they must obtain “satisfactory assurances” that the CSP is complying with HIPAA requirements in a written BAA.