We’ve put together a guide, in FAQ question and answer format, for those of you who need more information on cloud computing rules under the OCR’s (Office for Civil Rights) HIPAA regulations. This should get you well-versed on things like how covered entities (CE’s) and business associates (BA’s) under HIPAA compliance regulation should be operating when it comes to storing and disseminating patient information in the cloud.
Yes, provided the CE or BA enters into a business associate agreement (BAA) or contract that is HIPAA-compliant with the cloud services provider (CSP) who will be creating, receiving, maintaining, or transmitting ePHI on its behalf. The contract will also bind the CSP to comply with HIPAA rules. The BAA establishes a code of conduct that both governs the required uses and disclosures of ePHI by the BA, and also requires the BA to safeguard the ePHI appropriately, with strict adherence to Security Rule requirements.
Yes. This is because the CSP receives and maintains (i.e., processes and/or stores) ePHI on behalf of a covered entity or another BA. Having no encryption key for the encrypted data it receives and maintains does not exempt a CSP from BA status and the related obligations under HIPAA Rules. Any entity that maintains ePHI as proxy for a covered entity (or another business associate) is a BA, even if the entity cannot actually view the ePHI. Thus, a CSP that maintains encrypted ePHI on behalf of a covered entity (or another business associate) is by definition a business associate, even if it does not hold a decryption key and therefore cannot view the information. For convenience purposes this guidance uses the term “no-view services” to describe the scenario in which the cloud service provider maintains encrypted ePHI on behalf of a covered entity (or another business associate) without having access to the decryption key.
Normally, no. CSPs that provide cloud services to a covered entity or business associate that involve creating, receiving, or maintaining ePHI meet the definition of a business associate, even if the CSP cannot view the ePHI because it is encrypted and the CSP does not have the decryption key.
The OCR does not endorse or recommend specific technology or products.
If a covered entity (or business associate) uses a cloud service provider to maintain (i.e., process or store) ePHI without first entering into a BAA with the CSP, the CE (or BA) is in violation of the HIPAA Rules 45 C.F.R §§164.308(b)(1) and §164.502(e). The OCR has entered into a resolution agreement and corrective action plan with a covered entity that the OCR determined used a cloud-based server to store the ePHI of over 3,000 individuals without entering into a BAA with the CSP. Any CSP that becomes aware that it is maintaining ePHI must come into compliance with the HIPAA Rules or securely return the ePHI to the customer; or, if agreed to by the customer, securely destroy the ePHI. Once the CSP securely returns or destroys the ePHI (subject to arrangement with the customer), it is no longer a BA. It is recommended that CSPs document these actions.
While a CSP maintains ePHI, the HIPAA Rules prohibit the CSP from using or disclosing the data in a manner that is inconsistent with the Rules.
Yes, in all cases. The Security Rule at 45 CFR § 164.308(a)(6)(ii) requires BA’s to identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the business associate; as well as document security incidents and their outcomes. In addition, the Security Rule at 45 CFR § 164.314(a)(2)(i)(C) provides that a BAA must require the BA to report any security incidents of which it becomes aware to the CE or BA whose ePHI it maintains. A security incident under 45 CFR § 164.304 is defined as “the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.” Thus, a CSP-business associate must implement policies and procedures to address and document security incidents, and must also report security incidents to its CE or BA customer.
Some Additional Quick Q & A on HIPAA Cloud Computing Rules
Are health care providers allowed to use mobile devices to access ePHI in the cloud under HIPAA rules?
Yes, provided the appropriate administrative safeguards are in place, along with signed BAA’s.
Do HIPAA Rules require a CSP to maintain ePHI beyond the period of time it has contracted for with a given BA or CE?
No. The Privacy Rule provides for the return or destruction of the ePHI where feasible at the termination of a BAA.
Do the HIPAA Rules allow a covered entity or business associate to use a CSP that stores ePHI on servers outside of the United States?
Yes, provided the covered entity (or business associate) enters into a business associate agreement (BAA) with the CSP and otherwise complies with the applicable requirements of the HIPAA Rules.
If a CSP receives and maintains only information that has been de-identified in accordance with the HIPAA Privacy Rule, is it a BA?
Get Further Advice About HIPAA Compliance and Cloud Computing
You can also speak to an IT specialist about cloud computing and HIPAA compliance rules at Outsource My IT, which is a proven leader in providing IT consulting in New Jersey. Contact an IT expert at (973) 638-2722 or send us an email at firstname.lastname@example.org today, and we can help you with all your questions or needs.