When Do Cloud Services Providers Have to Comply with HIPAA?HHS: In Most Cases, Cloud Providers Handling PHI Qualify as Business Associates
New long-awaited federal guidance clarifies that cloud services providers that handle protected health information are nearly always considered business associates under HIPAA and, as a result, must meet the regulation's security requirements.
The guidance, which the Department of Health and Human Services' Office for Civil Rights issued Oct 7, clarifies that even if a cloud services provider stores only encrypted electronic PHI and does not have a decryption key, it's still a BA and must have a business associate agreement with the covered entities to which it provides services.
Since the HIPAA Omnibus Rule, which went into effect in 2013, specified business associates are directly liable for HIPAA compliance, a number of big name cloud vendors had dismissed the notion that they qualified as BAs or needed a BA agreement.
"OCR's guidance on HIPAA and cloud computing is an important and long-overdue response to questions that have been festering without clear answer since the expansion of the jurisdiction of the HIPAA privacy and security rules to business associates," says privacy attorney David Holtzman, vice president of compliance at the security consultancy CynergisTek.
"One key clarification was providing direction on how the definition of a business associate would apply to contractors or vendors who only handle encrypted PHI. OCR has clearly and definitively established that a cloud services provider is a business associate even if they store only encrypted ePHI."
Privacy attorney Adam Greene of the law firm Davis Wright Tremaine says the guidance is important for two reasons.
"First, it helps clarify some areas of widespread confusion, such as whether a BAA is needed if the cloud service provider only stores encrypted information and does not have the key," he says. "Second, it helps clarify the expectations on cloud service providers, such as what to do when they discover that they were maintaining protected health information without knowing it."
When Cloud Vendors are BAs
When a covered entity engages the services of a cloud services provider, or CSP, to create, receive, maintain (store) or transmit ePHI on its behalf, the cloud vendor is a business associate under HIPAA, OCR says in the guidance.
"Further, when a business associate subcontracts with a CSP to create, receive, maintain or transmit ePHI on its behalf, the CSP subcontractor itself is a business associate," OCR adds. "This is true even if the CSP processes or stores only encrypted ePHI and lacks an encryption key for the data. Lacking an encryption key does not exempt a CSP from business associate status and obligations under the HIPAA rules."
The only exception to cloud vendors being classified as BAs under HIPAA, OCR says, pertains to de-identified information. "A CSP is not a business associate if it receives and maintains ... only information de-identified following the processes required by the [HIPAA] Privacy Rule. The privacy rule does not restrict the use or disclosure of de-identified information, nor does the security rule require that safeguards be applied to de-identified information, as the information is not considered protected health information."
The guidance also points out that in addition to their contractual obligations under a business associate agreement, cloud services providers have regulatory obligations under HIPAA, including notifying covered entities of breaches involving unsecured PHI.
OCR recently entered a HIPAA settlement with a covered entity that lacked a business associate agreement with its cloud services provider. That $2.7 million settlement with Oregon Health & Science University in July stemmed from OCR's investigation into two 2013 breaches at the organization.
Lacking an encryption key for the encrypted data a cloud vendor receives and maintains does not exempt it from business associate status and associated obligations under the HIPAA Rules, OCR says.
"However, the requirements of the rules are flexible and scalable to take into account the no-view nature of the services provided by the CSP," OCR adds.
For example, "where only the customer controls who is able to view the ePHI maintained by the CSP, certain access controls, such as authentication or unique user identification, may be the responsibility of the customer, while others, such as encryption, may be the responsibility of the cloud services provider business associate."
Other Issues Clarified
The guidance, which is presented in a frequently asked questions format, also addresses several other related cloud concerns, including that:
- HIPAA allows healthcare providers to use mobile devices to access ePHI in a cloud;
- A covered entity or business associate is permitted under HIPAA to use a cloud services provider that stores ePHI on servers outside of the U.S.;
- HIPAA does not require cloud services providers that qualify as BAs to provide documentation of their security practices to their customers who are covered entities or BAs, and they're not required to allow auditing by their customers. However, customers may require from a CSP - through the BAA, service level agreement, or other documentation - additional assurances of protections for the PHI, such as documentation of safeguards or audits, based on their own risk analysis and risk management or other compliance activities.
While the guidance clarifies that cloud services providers handling PHI are nearly always business associates under HIPAA, covered entities aren't off the hook for also safeguarding this data, Holtzman stresses.
"The OCR guidance on HIPAA and cloud computing clarifies that while all contractors and vendors must safeguard the PHI they hold, the covered entity does not offload responsibility for securing their PHI through hiring vendors to manage their data, or signing a business associate agreement," he says. "Covered entities and business associates engaging a vendor for cloud computing services should understand what environment or solution is being offered and incorporate the vendor's approach to information security into their own risk analysis and risk management policies in addition to executing a business associate agreement."
Greene, the attorney, says the concept of shared security is a big challenge for many organizations. "The HIPAA Security Rule requires each covered entity and business associate to maintain a variety of types of security controls. This suggests that each entity has a separate obligation to, for example, encrypt the same protected health information. In practice, cloud computing involves a sharing and delegation of security responsibilities - who will encrypt, who will audit, etc.," he notes. "The guidance appears to recognize that security functions can be delegated between the different entities. "
Greene says he'd like to see OCR issue guidance on co-location services, what he describes as "a cousin of cloud computing services."
"Where a co-location provider only provides physical space - including HVAC, internet, and physical security - for a covered entity or business associate's servers, is it more of a landlord or a business associate?," he asks. "I would argue that it is acting more like a landlord, but I know that parties have a hard time agreeing on this issue."