OCR Issues Guidance on HIPAA and Cloud Service ProvidersPublications - Client Alert | October 31, 2016
On October 7, 2016, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) released guidance (the Guidance) on the HIPAA compliant use of cloud computing technologies. The guidance presents frequently asked questions and answers to assist HIPAA regulated cloud service providers (CSP(s)) and their customers, including covered entities and business associates, as applicable, in understanding their duties and responsibilities under HIPAA when they create, receive, maintain or transmit electronic protected health information (ePHI) using cloud products and services.
CSPs generally offer online access to shared computing resources, such as data storage or electronic medical record systems. Common cloud services are on demand Internet access to computing services (e.g., networks, servers, storage, applications). When a covered entity engages a CSP to create, receive, maintain, or transmit ePHI, such as storing or processing ePHI), on its behalf, the CSP is a business associate. As a result, HIPAA requires the covered entity or business associate, as applicable, and CSP enter into a HIPAA compliant business associate agreement (BAA).
Service Level Agreements
Commonly found in the provision of cloud services is a service level agreement (SLA). Under an SLA, expectations regarding the CSP’s performance are specified. Most notably, such specifications often include: (i) availability and uptime (e.g., the percentage of time services will be available, (ii) back up and data recovery, (iii) security responsibility, and/or (iv) system reliability.
In the Guidance, the OCR states that if a covered entity or business associate enters into a BAA with a CSP, which includes an SLA, the “covered entity [or business associate] should ensure that the terms of the SLA are consistent with the BAA and HIPAA.”
“No View Services”
In the Guidance, the OCR refers to services provided by a CSP who maintains encrypted ePHI on behalf of a covered entity without having access to a decryption key1 as “no view services.” The OCR confirms that lacking a decryption key does not exempt a CSP from being a business associate, even if it cannot actually view the covered entity’s or business associate’s ePHI. As a result, covered entities and business associates, as applicable, must have a BAA in place with a CSP providing such no view services. The OCR provides that “[w]hile encryption protects ePHI by significantly reducing the risk of the information being viewed by unauthorized persons, such protections alone cannot adequately safeguard the confidentiality, integrity, and availability of ePHI as required by the Security Rule.”
While a CSP that provides only no view services to a covered entity or business associate may not control who views the ePHI, the CSP still must ensure that it itself only uses and discloses the encrypted information as permitted by its BAA and the Privacy Rule, or as otherwise required by law. This includes, for example, ensuring the CSP does not impermissibly use the ePHI by blocking or terminating access by the customer to the ePHI.
However, the OCR recognizes the nature of no view services provided to covered entities and business associates varies; therefore, the Security Rule is flexible and scalable under the circumstances. For example, if a covered entity or business associate implements its own reasonable and appropriate user authentication controls and agrees the CSP providing no view services need not implement additional procedures to authenticate (verify the identity of) a person or entity seeking access to ePHI, the Security Rule access control responsibilities would be met for both parties by the action of the covered entity or business associate, as applicable.
Additional Cloud Service Clarifications
The Guidance also addresses and answers the following:
Covered entities and business associates may enter into a BAA with a CSP that stores ePHI on servers outside the United States. However, the OCR advises there may be certain risks and vulnerabilities depending on the geographical location.
- A CSP that processes and stores only information de-identified in accordance with the Privacy Rule is not a business associate.
A CSP that maintains ePHI for the purpose of storing it will quality as a business associate, and not a conduit, even if the CSP does actually view the information, because the CSP has more persistent access to the ePHI.
If you have any questions regarding Health Information Technology (HIT) and CSPs, please contact your Kutak Rock LLP attorney, a member of our Technology and Intellectual Property or Health Care Practice Group, or one of this alert’s authors, listed below.
1 A key used to encrypt and decrypt data, also called a cryptographic key. See NIST SP 800 47 Part 1 Revision 4, Recommendation for Key Management Part 1: General (January 2016).