OCR Issues Guidance on HIPAA and Cloud Computing
On October 7, 2016, the U.S. Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”), released a guidance document (the “Guidance”) on the HIPAA-compliant use of cloud computing technologies. The Guidance includes “frequently asked” questions and answers for covered entities and business associates who use cloud products and services.
The Guidance focuses on cloud computing services provided by third-party cloud services providers (“CSPs”). The Guidance notes that “CSPs generally offer online access to shared computing resources with varying levels of functionality depending on users’ requirements.”
The Guidance makes clear that when a covered entity engages a CSP to create, receive, maintain or transmit electronic protected health information (“ePHI”) on its behalf, the CSP is a business associate of the covered entity. In addition, the Guidance states that when a business associate subcontracts with a CSP to create, receive, maintain or transmit ePHI, the CSP subcontractor is a business associate. A CSP will rarely qualify for the “conduit exception” (an exemption from business associate status), which exception is limited to transmission services for PHI (whether in electronic or paper form), including any temporary storage of PHI incident to such transmission.
The Guidance document includes 11 FAQs.
One Guidance FAQ further clarifies that a CSP is a business associate even if the CSP stores only encrypted ePHI and does not have a decryption key. Another FAQ specifically affirms the necessity of a covered entity (or business associate) executing a business associate agreement with the CSP it uses to maintain ePHI. The OCR reminded covered entities and business associates of a previous OCR resolution agreement and corrective action plan that resulted from a covered entity’s failure to execute a business associate agreement with a CSP that stored ePHI of more than 3,000 individuals on a cloud-based server.
With respect to compliance with the HIPAA Security Rule, the Guidance emphasizes the importance of the covered entity or business associate understanding the cloud environment or cloud computing service provided by the CSP, so that the covered entity or business associate can appropriately conduct its risk analyses and prepare a risk management plan. The covered entity (or business associate) and the CSP are each responsible for their respective HIPAA compliance.
The final FAQ in the Guidance clarifies that a CSP that receives and maintains only information that has been de-identified in accordance with the HIPAA Privacy Rule is not a business associate because, by definition, de-identified information is not PHI.
CSPs are becoming increasingly common vendors for covered entities and business associates. The Guidance is useful in clarifying the role of CSPs and the importance of HIPAA compliance when participating in a commercial relationship with a CSP.
Saul Ewing attorneys regularly provide HIPAA privacy and security rule counseling for covered entities and business associates, including creating and revising policies and procedures and reviewing and drafting business associate agreements. For more information on these matters, please contact the authors or the attorney at the firm with whom you are regularly in contact.