On October 7, 2016, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) published guidance (“Guidance”) on how cloud services providers (“CSPs”) and covered entities using cloud computing solutions can comply with the privacy, security, and breach notification rules of the Health Insurance Portability and Accountability Act (“HIPAA”). Over the last few years the use of cloud computing by the healthcare industry has seen exponential growth – from Google Drive and Dropbox to offshore data servers run by third parties – which has caused many covered entities and business associates to question how they can ensure compliance with HIPAA requirements. In the Guidance, the OCR seeks to affirm certain industry practices and clarify some of the confusion surrounding key topics.
At the beginning of the Guidance, OCR confirms that HIPAA applies to all CSPs that create, receive, maintain or transmit protected health information (“PHI”) on behalf of a covered entity or business associate. As a result, CSPs must enter into a HIPAA-compliant business associate agreement (“BAA”) with covered entities and other business associates. This means that all CSPs are contractually liable under the terms of the BAA and directly liable for compliance with the HIPAA rules. The Guidance then addresses several other topics in a frequently-asked-questions (“FAQs”) format regarding HIPAA’s application to CSPs, as summarized below.
Encryption. Whether a CSP has an encryption key to the encrypted PHI is not relevant, instead HIPAA applicability is determined by whether the CSP stores or maintains PHI on behalf of the covered entity or business associate. The OCR views encryption as a security measure that reduces risks of data breach, but not as an exemption to HIPAA obligations. According to the OCR, encryption does not adequately safeguard the confidentiality, integrity, and availability of PHI to meet the requirements of the HIPAA Security Rule. This means that CSPs who simply store or maintain PHI and lack an encryption key to the data (also referred to as, “no-view service”) are still subject to the HIPAA requirements.
Obligations for CSPs with “No-View Service.” The OCR explains how the HIPAA requirements for CSPs with “no-view service” are flexible by addressing the security, privacy, and breach notification obligations separately.
Security Rule Considerations. To the relief of many, the OCR only requires that one party meets the HIPAA security obligations where a CSP provides no-view service. Itis important to note that while parties need not make duplicitous efforts in meeting the Security Rule, both parties remain fully responsible under the Security Rule if there is a gap or missing security feature. For example, a CSP may still be responsible for administrative measures and the encryption while the covered entity or business associate handles other requirements, such as access controls. This should remove a lot of pressure from both parties as they will be able to divide the burden of meeting security requirements in a way that makes more sense to each. Counsel should ensure that each party addresses how they will meet the Security Rule requirements in the BAA to prevent any gaps or confusion.
Privacy Rule Considerations. Even though “no-view service” CSPs do not have access to the PHI, CSPs are still required to meet the obligations under the Privacy Rule by ensuring that the covered entity can meet its obligation to provide access, amendments, and accountings of certain disclosures of PHI.
Data Breach Notifications. CSPs with no-view services are required to comply with the HIPAA data breach notification requirements that apply to business associates.
Storing PHI Outside of the United States. The Guidance states that CSPs are not prohibited from storing PHI on servers located outside of the United States. However, OCR does warn that storage outside of the United States may result in increased risks and vulnerabilities to the data.
Takeaways and Next Steps
Pursuant to Guidance, CSPs are subject to the HIPAA requirements even if they lack the encryption key (or, are a “no-view service”), and covered entities and business associates are required to execute BAAs with CSPs to avoid violating HIPAA.
If you are a covered entity and/or business associate that uses clouds for anything, then there are some steps you should take to reduce your liabilities under HIPAA.
- Reach out to your organization’s IT or Security department to determine whether you are using any CSPs.
- Determine whether the identified CSPs are storing, receiving, transmitting or creating any PHI. If so, ensure that there is a BAA in place with the CSP that adequately meets the HIPAA requirements and reduces your organization’s liabilities
- If you haven’t already, be sure to include CSPs in the organization’s future HIPAA assessments.