Cloud service providers are on notice: you are HIPAA business associates, even if you are unable to access the HIPAA protected information in your cloud. The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released guidance making clear that cloud service providers (CSPs) that create, receive, maintain, or transmit electronic protected health information (PHI) are covered by HIPAA.
The guidance is notable for its broad scope. Whether a CSP offers a simple cloud storage solution or a complex interactive application for managing electronic medical records, it should consider whether its business maintains PHI. If it does, it will need to enter into business associate agreements (BAAs) and implement an effective HIPAA compliance program. Likewise, HIPAA covered entities (CEs) must determine whether the services provided to them by CSPs give rise to HIPAA obligations. OCR’s latest guidance clarifies how and when HIPAA applies in the cloud service context.
Cloud Service Providers are Business Associates
- HIPAA rules apply even if a CSP cannot access the PHI that it stores. HIPAA applies even if the CSP has no access to the ePHI it holds. These “no-view services,” in which a CSP stores encrypted information on behalf of a covered entity or business associate and does not have the encryption key, trigger the need for a BAA. Even where the data owner is the sole party with access to the information, CSPs are not exempt from their HIPAA obligations as a business associate. The HIPAA obligations are scalable and may be shared with customers.
- The conduit exception does not apply. The guidance emphasizes that CSPs typically do not qualify for the HIPAA “conduit exception.” That exception applies only to entities providing transmission services, and a CSP that stores PHI, even if a “no-view service,” would not be considered a conduit.
- Mobile devices are within scope. CSPs providing services that function with mobile devices such as phones or tablets are covered. BAAs must be in place with any CSPs that are storing or will have access to the PHI. OCR previously released separate guidance on using and securing PHI on mobile devices that complements the cloud computing guidance.
Key HIPAA Compliance Obligations for Cloud Service Providers
CSPs will need to enter into BAAs and comply with the HIPAA Security rule and parts of the HIPAA privacy regulations. Key compliance obligations include:
- report any security incidents or breaches of unsecured PHI of which they become aware to their customers, with limited exception;
- return or destroy any PHI in their possession at the end of the effective term of a BAA, where feasible; and
- consistent with the governing BAA, make PHI available as necessary for the CE to meet its obligations to provide individuals with their rights to access, amend, and receive an accounting of disclosures of PHI.
If a CSP does not know that a customer is storing PHI in its cloud, an affirmative defense to allegations of a HIPAA violation is available, provided that the CSP takes corrective action essentially at the time that it knows or should know that it is storing the PHI.
HIPAA Obligations in the Cloud Environment Can Vary and Should be Addressed in Contracts
- CSPs storing PHI should execute business associate contracts with customers. Note, however, that even if a BAA is not in place, CSPs storing PHI are required to comply with all applicable provisions of the HIPAA rules.
- The CSP and its customer are independently responsible for HIPAA compliance. HHS recognizes that in some cases, requiring more than one party to implement the same safeguards would be redundant. Organizations can contract to share responsibility for implementing certain Security Rule obligations.
- Requests for assurance of protections for PHI beyond what is expressly required in the HIPAA regulations are increasingly common. Customers may request documentation of security protections, audit rights, or other information related to security practices. These requests and related contractual provisions are permitted provided that their terms are consistent with both entities’ HIPAA obligations.
- The use of CSPs outside the United States is not prohibited by HIPAA. That said, the risks to PHI can vary depending on their geographic location and outsourcing overseas can increase the risks and vulnerabilities in ways that call for additional contractual protections. Such risks need to be accounted for in the security risk analysis and risk management plans required by the HIPAA Security Rule.
How should entities respond to the guidance?
HIPAA regulated entities using or providing cloud-based services should:
- Evaluate the services and identify when BAAs are required.
- Enter into a BAA as appropriate. OCR has made compliant BAAs an enforcement priority, recently assessing a financial penalty of $2,700,000 and entering into a resolution agreement and corrective action plan with Oregon Health & Science University for allegedly storing the PHI of more than 3,000 individuals on a cloud-based server without entering into a BAA.
- Conduct risk analyses and establish risk management activities in connection with the use or provision of the service.