Cloud Service Providers Are HIPAA Business Associates Under HHS Guidance | Practical Law

Cloud Service Providers Are HIPAA Business Associates Under HHS Guidance | Practical Law

In its latest subregulatory guidance, the Department of Health and Human Services (HHS) has addressed standards involving cloud services, covered entities, and business associates under the Health Insurance Portability and Accountability Act (HIPAA).

Cloud Service Providers Are HIPAA Business Associates Under HHS Guidance

Practical Law Legal Update w-003-8717 (Approx. 8 pages)

Cloud Service Providers Are HIPAA Business Associates Under HHS Guidance

by Practical Law Employee Benefits & Executive Compensation
Published on 12 Oct 2016USA (National/Federal)
In its latest subregulatory guidance, the Department of Health and Human Services (HHS) has addressed standards involving cloud services, covered entities, and business associates under the Health Insurance Portability and Accountability Act (HIPAA).
In its latest subregulatory guidance, HHS has addressed the interaction of HIPAA's privacy and security rules with marketplace developments involving cloud computing. (For a discussion of HIPAA and cloud computing, see Practice Note, Cloud Computing and HIPAA Privacy and Security.)

Identifying Cloud Service Providers

Under HHS's guidance, a cloud service provider (CSP) is an entity that makes available online access to shared computing services having various levels of functionality. These services may include:
  • Data storage.
  • Complete software solutions (for example, an electronic medical record system).
  • Platforms to enable application developers to create new products.
  • Comprehensive computing infrastructures for software programmers to launch and test programs.
Related guidance from the National Institute of Standards and Technology (NIST) offers a more comprehensive definition of cloud computing.

CSPs Generally Are HIPAA Business Associates in Their Own Right

HHS takes the position in its guidance that when a HIPAA covered entity (CE) uses a CSP to create, receive, maintain, or transmit electronic protected health information (ePHI) on the CE's behalf, the CSP is a HIPAA business associate (BA) in its own right. This includes when the CSP processes or stores ePHI. Also, according to HHS, if a HIPAA BA subcontracts with a CSP to create, receive, maintain, or transmit ePHI on the BA's behalf, then the CSP subcontractor is itself a BA. (Regarding subcontractor liability under the 2013 final HIPAA regulations, see Practice Note, HIPAA Privacy Rule: Business Associates.)
As a BA, a CSP is directly liable under HIPAA's privacy, security, and breach notification rules if it:
However, a CSP is not a BA if it receives and maintains (for example, to process or store) only information that is de-identified consistent with procedures under the HIPAA Privacy Rule. De-identified information is not considered PHI.

HHS Dismisses Conduit Exception Regarding Cloud Service Providers

In its guidance, HHS rejects the notion that a CSP is not a BA because it is a "conduit" (like the postal service). (Regarding the conduit exception, see Practice Note, Cloud Computing and HIPAA Privacy and Security: Conduit Exception to Business Associate Status.) According to HHS, the conduit exception is limited to transmission-only services for PHI, whether in electronic or paper form, including temporary storage of PHI that is incidental to this transmission. However, a CSP that maintains ePHI to store it is a BA, and not a conduit:
  • Even if the CSP does not actually view the information.
  • Because the CSP has more persistent access to the ePHI.
HHS views the conduit exception as applicable if the only services provided to a CE or BA are for transmission of ePHI that do not involve any storage of the information other than on a temporary basis incidental to the transmission service.

No Safe Harbor for CSPs That Do Not Have Encryption Keys

In some cases, a CSP may:
  • Process or store only encrypted ePHI.
  • Lack an encryption key for the data.
However, HHS indicated that a CSP that lacks an encryption key is nonetheless a HIPAA BA and must therefore satisfy the requirements that follow from BA status. According to HHS, lacking an encryption key for encrypted data that a CSP receives and maintains does not exempt the CSP from BA status. An entity that maintains ePHI on behalf of a CE (or another BA) is a BA, even if the entity cannot actually view the ePHI. In its guidance, HHS uses the term "no-views services" to describe a CSP that maintains encrypted ePHI on behalf of a CE (or another BA) without having access to the decryption key.
This means that:
In support of this conclusion, HHS cited certain limitations of encryption. For example, encryption does not:
  • Maintain the integrity and availability of ePHI, for example, to ensure that:
    • the information is not corrupted by malware; and
    • through contingency planning that the data remains available to authorized persons even during emergency or disaster situations.
  • Address other confidentiality-related safeguards, including:
    • administrative safeguards to analyze risks to the ePHI; and
    • physical safeguards for systems and servers that house ePHI.
The guidance addresses certain implications for no-view services arrangements from privacy, security, and breach notification perspectives, as follows.

Privacy Rule Implications

According to HHS, although a CSP that provides only no-view services to a CE or BA may not control who views the ePHI, the CSP must still ensure that it only uses and discloses the encrypted information as permitted by its BAA and HIPAA's Privacy Rule. For example, this includes ensuring that the CSP does not impermissibly use ePHI by blocking or terminating a CE's or BA's access to the ePHI (see Legal Update, PHI Access Rights for HIPAA Covered Entities at Issue in HHS Guidance).
The Privacy Rule also imposes standards regarding BAAs, which HHS's guidance addresses in the cloud computing context. For example, a BA must make available PHI as necessary for the CE to meet its obligations to provide individuals with their rights to access, amend, and receive an accounting of certain disclosures of PHI (see Practice Notes, HIPAA Privacy and Security (Individual Rights): Right of Accounting and Other Rights and HIPAA Privacy and Security (Individual Rights): Right of Access to PHI).

Security Rule Implications

CSPs that are BAs must satisfy governing standards and implementation specifications for ePHI under HIPAA's Security Rule (see Practice Note, HIPAA Security Rule). The guidance addresses some situations in which CSPs that provide only no-view services to a CE or BA may satisfy some Security Rule requirements for both parties (for example, authentication controls). Even so, the CSP (as a BA) may be responsible under the Security Rule for adopting other reasonable and appropriate controls to limit access to information systems that maintain ePHI.

Breach Notification Implications

As a BA, a CSP that offers only no-view services to a CE or BA must satisfy HIPAA's breach notification requirements, including notifying a CE or BA of breaches of unsecured PHI (see Practice Note, HIPAA Breach Notification Rules for Group Health Plans). HHS's guidance addresses how applicable encryption standards impact these breach notification obligations.

Risk Analyses Required

Under the HHS guidance, CEs and BAs may use cloud services to store or process ePHI, provided that the CE or BA:
  • Has in place a BAA with the CSP that will be creating, receiving, maintaining, or transmitting ePHI on the CE's or BA's behalf.
  • Otherwise satisfies HIPAA's privacy, security, and breach notification rules.
A CE or BA should understand a particular CSP's cloud computing environment or solution so that it can undertake a risk analysis and establish risk management policies (in addition to entering into a BAA with the CSP). (Regarding HIPAA risk analyses, see Practice Note, HIPAA Breach Notification Rules for Group Health Plans and HIPAA Enforcement and Group Health Plans: Penalties and Investigations.) For example, although a CE or BA may use cloud-based services of any configuration (for example, public, private, or a combination of the two), the configuration selected may impact the parties' risk analysis and risk management plans and, as a result, the BAA's provisions.

Use of Service Level Agreements

According to HHS, the parties to a CSP arrangement may use a service level agreement (SLA) to address the parties' business expectations in greater detail. (For analysis of SLAs in the HIPAA cloud computing context, see Practice Note, Cloud Computing and HIPAA Privacy and Security: Service Level Agreements With Cloud Providers.) An SLA might address:
  • System availability and reliability.
  • Backup and data recovery, including in response to a ransomware attack or other emergency situation (see Legal Update, Ransomware Attacks Addressed in HIPAA Security Guidance).
  • How data will be returned to the CE or BA after service use termination.
  • Security responsibility.
  • Use, retention, and disclosure restrictions.
The SLA's terms should be consistent with the governing BAA and HIPAA's privacy, security, and breach notification rules.

Consequences If a Business Associate Agreement Is Not in Place

According to HHS, a CE or BA violates HIPAA's privacy, security, and breach notification rules if it uses a CSP to maintain ePHI without entering into a BAA with the CSP. In this context, HHS expressly referenced a recent enforcement action involving ePHI stored on a cloud-based server (see Legal Update, Despite Six Risk Analyses, University Must Pay $2.7 Million in HIPAA Settlement).
In general, HHS believes that a CSP that is a BA must satisfy HIPAA's privacy, security, and breach notification rules regardless of whether it has executed a BAA with the CE or BA that uses its services. However, the guidance addresses an affirmative defense that may apply if a CSP lacks actual or constructive knowledge that a CE or another BA is using its services to create, receive, maintain, or transmit ePHI. A CSP that becomes aware that it is maintaining ePHI must either:
  • Come into compliance with HIPAA's privacy, security, and breach notification rules.
  • Securely return the ePHI to the CE or BA (or, if agreed to by the CE or BA, securely destroy the ePHI).
A CSP in this situation generally is no longer a BA after it securely returns or destroys the ePHI.

Cloud Service Providers Must Report Security Incidents

A CSP that is a BA and experiences a security incident involving a CE's or BA's ePHI must report the incident to the CE or BA (see Practice Note, HIPAA Security Rule: Security Incident Procedures). The CSP also must adopt policies and procedures to address and document security incidents. HHS observed that although HIPAA's breach notification rules dictate the content, timing, and other reporting requirements involving breaches of unsecured PHI, the parties have some flexibility under a BAA to structure the reporting of other security incidents, including the level of detail, frequency, or format of incident reports (see Practice Note, HIPAA Breach Notification Rules for Group Health Plans).

Use of Mobile Devices Permitted

CEs (including health care providers) and BAs may use mobile devices to access ePHI in the cloud if appropriate:
  • Physical, administrative, and technical safeguards are in place to protect the ePHI's confidentiality, integrity, and availability on the mobile device and in the cloud.
  • BAAs exist with any third party service providers for the device (and/or the cloud) that will have access to the ePHI.

Use of ePHI After Service Period Ends

A CSP need not maintain ePHI for any particular period of time after it finishes providing services to a CE or BA. Under the Privacy Rule, a BAA must require a BA to return or destroy all PHI at the termination of the BAA where feasible (see also Practice Note, Disposing of Protected Health Information Under HIPAA).
If return or destruction is not feasible, the BAA must:
  • Extend the privacy and security protections of the BAA to the ePHI.
  • Limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible.

Storing ePHI on Servers Outside the US

HHS indicates in its guidance that a CE or BA may use a CSP that stores ePHI on servers outside of the US, assuming a compliant BAA is in place. The government emphasized that:
  • Risks to ePHI may vary significantly based on geographic location.
  • Outsourcing storage or other services for ePHI overseas raises unique concerns regarding the enforceability of privacy and security protections over the data.
CEs and BAs (which include CSPs) should factor these additional risks (for example, increased hacking attempts or malware attacks) in performing their risk analysis under the HIPAA Security Rule.

Practical Impact

As with the HHS guidance received earlier this year in the individual rights space, these new cloud computing rules are only subregulatory in nature, and not the result of notice-and-comment rulemaking reflecting the regulated community's formal input (see Legal Updates, HHS Addresses HIPAA Individual Rights in FAQ Guidance and HHS FAQs Address Permitted Costs for Copies of PHI and More). Nonetheless, it seems fair to assume that HHS will use its new rules as a springboard for additional HIPAA privacy, security, and breach notification enforcement activity focused on cloud computing compliance. As a result, this guidance is required reading for CSPs and the CEs and other BAs that do business with them. At a minimum, CEs and BAs should determine whether they are treating CSPs as BAs (we suspect that many are not) and whether they have BAAs in place with these entities.
The guidance addresses a number of other issues including, for example, the documentation and auditing of CSP security practices.