In early October the long-awaited guidance on HIPAA compliant cloud was released by HHS / OCR. There wasn’t a lot of shocking information for us since it just restated, maybe more clearly, that cloud services providers (CSPs) must sign a BAA and meet certain obligations as a BA.
Hopefully, this will address all the cases where some CSPs would use “sleight of hand” with phrasing to claim they didn’t have to be a HIPAA compliant cloud provider. The amount of “all ya gotta do is” descriptions of a HIPAA compliant cloud solutions is the kind of misinformation that only makes things harder to get done. Let’s look at what HIPAA compliant cloud rules the OCR guidance addressed.
HIPAA Compliant Cloud OCR Guidance
1. May a HIPAA covered entity or business associate use a cloud service to store or process ePHI?
Yes, we have never said you can’t use a cloud provider. You just have to make sure you take care of things with them in a similar manner that you would any other Business Associate. There is such a thing as HIPAA compliant cloud solution within certain limitations. Remember, no one can officially say they are compliant – only OCR can do that.
- The CSP must sign “HIPAA compliant business associate contract or agreement”
- The agreements include the CSP is obligated to implement the Security rule.
- The CE or BA should understand the cloud computing environment or solution offered by a particular CSP so the CE or BA can appropriately conduct its own risk analysis and establish risk management policies
- the type of cloud configuration to be used may affect the risk analysis and risk management plans of all parties and the resultant provisions of the BAA
- There should also be a Service Level Agreement (SLA) that addresses commitments for service features and availability
- Data centers used
- Backups performed
- But the SLA should not contradict the BAA, just compliment it
The CSP, as a BA, has regulatory obligations and is directly liable under the HIPAA Rules if it makes uses and disclosures of PHI that are not authorized by its contract, required by law, or permitted by the Privacy Rule. A CSP, as a business associate, also is directly liable if it fails to safeguard ePHI in accordance with the Security Rule, or fails to notify the covered entity or business associate of the discovery of a breach of unsecured PHI in compliance with the Breach Notification Rule.
2. If a CSP stores only encrypted ePHI and does not have a decryption key, is it a HIPAA business associate?
Yes. They. Are.
As a business associate, a CSP providing no-view services is not exempt from any otherwise applicable requirements of the HIPAA Rules. However, the requirements of the Rules are flexible and scalable to take into account the no-view nature of the services provided by the CSP.
An entity that maintains ePHI on behalf of a covered entity (or another business associate) is a business associate, even if the entity cannot actually view the ePHI Thus, a CSP that maintains encrypted ePHI on behalf a covered entity (or another business associate) is a business associate, even if it does not hold a decryption key  and therefore cannot view the information. For convenience purposes this guidance uses the term no-view services to describe the situation in which the CSP maintains encrypted ePHI on behalf of a covered entity (or another business associate) without having access to the decryption key.
in cases where a CSP is providing only no-view services to a covered entity (or business associate) customer, certain Security Rule requirements that apply to the ePHI maintained by the CSP may be satisfied for both parties through the actions of one of the parties. For example, if a customer implements its own reasonable and appropriate user authentication controls and agrees that the CSP providing no-view services need not implement additional procedures to authenticate (verify the identity of) a person or entity seeking access to ePHI, these Security Rule access control responsibilities would be met for both parties by the action of the customer.
the CSP is still responsible under the Security Rule for implementing other reasonable and appropriate controls to limit access to information systems that maintain customer ePHI.
a CSP that is a business associate needs to consider and address, as part of its risk analysis and risk management process, the risks of a malicious actor having unauthorized access to its system’s administrative tools, which could impact system operations and impact the confidentiality, integrity and availability of the customer’s ePHI. CSPs should also consider the risks of using unpatched or obsolete administrative tools. The CSP and the customer should each confirm in writing, in either the BAA or other documents, how each party will address the Security Rule requirements.
While a CSP that provides only no-view services to a covered entity or business associate customer may not control who views the ePHI, the CSP still must ensure that it itself only uses and discloses the encrypted information as permitted by its BAA and the Privacy Rule, or as otherwise required by law. This includes, for example, ensuring the CSP does not impermissibly use the ePHI by blocking or terminating access by the customer to the ePHI.
The BAA between a no-view CSP and a covered entity or business associate customer should describe in what manner the no-view CSP will meet these obligations – for example, a CSP may agree in the BAA that it will make the ePHI available to the customer for the purpose of incorporating amendments to ePHI requested by the individual, but only the customer will make those amendments.
CSP that offers only no-view services to a covered entity or business associate still must comply with the HIPAA breach notification requirements that apply to business associates.
3. Can a CSP be considered to be a “conduit” like the postal service, and, therefore, not a business associate that must comply with the HIPAA Rules?
Generally, no. the conduit exception is limited to transmission-only services for PHI (whether in electronic or paper form), including any temporary storage of PHI incident to such transmission.
4. Which CSPs offer HIPAA compliant cloud services?
No OCR endorsement of any certification, applications, etc. Remember, “HIPAA compliant cloud” is just a statement, not a statement of fact.
5. What if a HIPAA covered entity (or business associate) uses a CSP to maintain ePHI without first executing a business associate agreement with that CSP?
Still a violation of HIPAA X 2
OCR recognizes that there may, however, be circumstances where a CSP may not have actual or constructive knowledge that a covered entity or another business associate is using its services to create, receive, maintain, or transmit ePHI. The HIPAA Rules provide an affirmative defense in cases where a CSP takes action to correct any non-compliance within 30 days (or such additional period as OCR may determine appropriate based on the nature and extent of the non-compliance) of the time that it knew or should have known of the violation (e.g., at the point the CSP knows or should have known that a covered entity or business associate customer is maintaining ePHI in its cloud). 45 CFR 160.410. This affirmative defense does not, however, apply in cases where the CSP was not aware of the violation due to its own willful neglect.
6. If a CSP experiences a security incident involving a HIPAA covered entity’s or business associate’s ePHI, must it report the incident to the covered entity or business associate?
Note, though, that the Breach Notification Rule specifies the content, timing, and other requirements for a business associate to report incidents that rise to the level of a breach of unsecured PHI to the covered entity (or business associate) on whose behalf the business associate is maintaining the PHI. See 45 CFR § 164.410. The BAA may specify more stringent (e.g., more timely) requirements for reporting than those required by the Breach Notification Rule (so long as they still also meet the Rule’s requirements) but may not otherwise override the Rule’s requirements for notification of breaches of unsecured PHI.
7. Do the HIPAA Rules allow health care providers to use mobile devices to access ePHI in a cloud?
Yes. Do your RA and plan for it.
8. Do the HIPAA Rules require a CSP to maintain ePHI for some period of time beyond when it has finished providing services to a covered entity or business associate?
No, the HIPAA Rules generally do not require a business associate to maintain electronic protected health information (ePHI) beyond the time it provides services to a covered entity or business associate.
9. Do the HIPAA Rules allow a covered entity or business associate to use a CSP that stores ePHI on servers outside of the United States?
Yes. Do RA and BAA correctly.
10. Do the HIPAA Rules require CSPs that are business associates to provide documentation, or allow auditing, of their security practices by their customers who are covered entities or business associates?
No. The HIPAA Rules require covered entity and business associate customers to obtain satisfactory assurances in the form of a business associate agreement (BAA) with the CSP.
However, customers may require from a CSP (through the BAA, service level agreement, or other documentation) additional assurances of protections for the PHI, such as documentation of safeguards or audits, based on their own risk analysis and risk management or other compliance activities
11. If a CSP receives and maintains only information that has been de-identified in accordance with the HIPAA Privacy Rule, is it is a business associate?
This HIPAA compliant cloud guidance may finally put to rest some of the confusion and obfuscation of HIPAA compliance responsibilities between cloud vendors and the customers. Does this mean we can now just trust that all vendors who say they have a HIPAA compliant cloud solution actually have one? NO. Always trust but verify.