The use of cloud service providers has exploded in the past several years. According to estimates from Gartner, the market for cloud services is expected to reach $204 billion in 2016. But the use of cloud service providers raises significant privacy and security concerns, especially for health care providers who are subject to the Health Insurance Portability and Accountability Act (HIPAA).
Last month, the Department of Health and Human Services Office for Civil Rights (OCR) issued guidance on the storage of protected health information (PHI) in the cloud. Not surprisingly, the OCR reiterated its expectation that covered entities enter into business associate agreements with service providers and provide prompt notice of unauthorized access. However, one of the more surprising takeaways from that guidance was the OCR’s position that a cloud service provider (CSP) could be subject to HIPAA merely by storing encrypted PHI. Specifically, the OCR has said, “When a covered entity engages the services of a CSP to create, receive, maintain, or transmit ePHI (such as to process and/or store ePHI), on its behalf, the CSP is a business associate under HIPAA[.] This is true even if the CSP processes or stores only encrypted ePHI and lacks an encryption key for the data. Lacking an encryption key does not exempt a CSP from business associate status and obligations under the HIPAA Rules[.]”
This is huge! Even if a CSP is unable to read or access PHI, the CSP would STILL be considered a business associate. Consider that under many state breach notification laws, encryption that renders data unreadable or indecipherable is a safe harbor in the event of unauthorized access. The position taken by the OCR holds CSPs to a higher standard than those who gain unauthorized access. This has significant ramifications for those CSPs who have explicitly sought to limit their exposure and regulatory compliance obligations by restricting their access to PHI. It seems those efforts may have been in vain. To the extent any CSP stores or maintains PHI on behalf of a covered entity, even if encrypted, that CSP must comply with HIPAA.
All CSPs should take a close look at PHI storage practices and evaluate their potential HIPAA compliance obligations in light of this guidance.