The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has issued a new guidance regarding HIPAA compliance and the use of cloud computing solutions. The guidance is intended to assist covered entities and business associates, including cloud service providers (CSPs), with understanding their obligations under the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules when implementing cloud computing solutions. Most significantly, the guidance clarifies that CSPs that have access only to encrypted health information are not exempt from the HIPAA requirements that apply to business associates. Accordingly, the CSP must execute "Business Associate Agreements" with its covered entity and business associate customers. The CSP is both contractually liable for meeting the terms of the Business Associate Agreement and directly liable for compliance with the applicable requirements of HIPAA.

The HIPAA privacy and security rules apply to covered entities – i.e. health plans, health care clearinghouses and health care providers who conduct certain billing and payment related transactions electronically – as well as to their business associates. A "business associate" is defined as a person or entity, other than a member of the covered entity’s workforce, that performs functions or activities on behalf of, or provides certain services to, a covered entity that involve creating, receiving, maintaining or transmitting protected health information (PHI). A subcontractor that creates, receives, maintains, or transmits PHI on behalf of a business associate is also considered a business associate. Accordingly, a CSP is a business associate when it contracts with covered entities to provide cloud computing solutions that involve processing or storing PHI. Further, when a business associate subcontracts with a CSP to maintain or transmit PHI on its behalf, the CSP subcontractor is itself a business associate. Following passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, business associates are directly liable for compliance with certain provisions of HIPAA.

The new guidance from OCR responds to key questions about the application of HIPAA to CSPs. In particular, OCR confirms that CSPs that only have access to encrypted PHI are nonetheless considered business associates of their covered entity and business associate customers, even if they do not have the decryption key and cannot view the data. OCR explains that "[w]hile encryption protects [electronic] PHI by significantly reducing the risk of the information being viewed by unauthorized persons, such protections alone cannot adequately safeguard the confidentiality, integrity, and availability of [electronic] PHI, as required by the Security Rule." For example, encryption does not protect the information from corruption by malware and does not ensure that the information will remain available to authorized persons following a disaster.

OCR recognizes that there may be circumstances where a CSP may not have actual or constructive knowledge that a covered entity or another business associate is using its services to create, receive, maintain, or transmit electronic PHI. If a CSP becomes aware that it is maintaining electronic PHI, it must come into compliance with the HIPAA Rules, or securely return the PHI to the customer or, if agreed to by the customer, securely destroy the PHI. The HIPAA Rules provide an affirmative defense in cases where a CSP takes action to correct any non-compliance within 30 days of the time that it knew or should have known that a covered entity or business associate customer is maintaining PHI in its cloud. This affirmative defense does not, however, apply in cases where the CSP was not aware of the violation due to its own willful neglect.

What this means for your company:

In light of this new guidance, covered entities, business associates and their CSPs should ensure that they have properly executed business associate agreements in place. CSPs that provide services to covered entities or business associates and that maintain or transmit PHI in connection with such services should review whether they are in compliance with the HIPAA requirements that apply to business associates, including, without limitation, conducting a risk analysis to identify and assess potential threats and vulnerabilities to the confidentiality, integrity and availability of PHI and implementing such safeguards as are necessary to protect against reasonably anticipated threats or hazards.