Recent guidance issued by the Department of Health and Human Services (“HHS”) clarifies the extent to which cloud service providers are subject to the privacy, security, and breach notification rules under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).
The new HHS guidance explains that cloud service providers (“CSPs”) which create, receive, maintain, or transmit electronic protected health information (“ePHI”) on behalf of HIPAA-covered entities and business associates are directly liable under HIPAA as a business associate. Furthermore, HIPAA-covered entities and business associates are required to enter into HIPAA-compliant business associate agreements with CSPs that create, receive, maintain, or transmit ePHI on their behalf.
HIPAA-covered entities and business associates should be familiar with the HIPAA privacy and security rules, but the application of the rules to CSPs will pose new compliance hurdles. HIPAA-covered entities are health plans, health care clearinghouses, and health care providers that conduct electronic billing and payment transactions. For example, a group health plan that submits electronic payments to a third-party administrator, and a hospital that electronically bills patients are both HIPAA-covered entities. Business associates (entities or individuals such as vendors and third-party administrators that perform functions on behalf of, or provide services to, a covered entity) must also comply with HIPAA to the extent they create, receive, maintain, or transmit ePHI on behalf of covered entities. The HIPAA privacy, security, and breach notification rules require covered entities and business associates to protect individually identifiable health information, limit uses and disclosures of such information, and safeguard against impermissible uses and disclosures of the information. As covered entities and business associates have increasingly turned to CSPs to process and store ePHI on their behalf, the direct application of the HIPAA rules to such CSPs has remained uncertain.
The new HHS guidance makes clear that CSPs are directly liable under HIPAA if they create, receive, maintain, or transmit ePHI on behalf of a covered entity or on behalf of a business associate of a covered entity (such as by processing or storing the covered entity’s ePHI on the CSP server) even if the CSP cannot access the data. This means that a CSP that only receives encrypted or de-identified information from a covered entity or business associate must still comply with the HIPAA rules.
This guidance may come as a shock to many covered entities and business associates that have long assumed CSPs do not face or create HIPAA-compliance concerns if the CSPs cannot access shared data. Indeed, it may be an even greater shock to CSPs who have long claimed to be exempt from HIPAA’s reach. Notwithstanding, now, once a CSP creates, receives, maintains, or transmits ePHI on behalf of a covered entity or business associate, it becomes a HIPAA business associate and is required to directly comply with the privacy, security, and breach notification rules applicable to business associates. A CSP also becomes a business associate when it is subcontracted by another business associate to create, receive, maintain, or transmit ePHI.
Immediate action items for covered entities and business associates include:
- Entering into HIPAA-compliant business associate agreements with CSPs. HHS stated that a covered entity or business associate that uses a CSP to maintain ePHI without entering into a business associate agreement is in violation of HIPAA. A service level agreement (“SLA”) can satisfy the business associate agreement requirement as long as the SLA complies with the HIPAA business associate rules.
- Conducting a HIPAA risk analysis to determine whether the services provided by CSPs pose a security risk. For example, the guidance notes that the type of cloud configuration used by the CSP (public, private, or hybrid) may affect a covered entity’s or business associate’s risk analysis. Special consideration should be given to CSPs that outsource storage or other services overseas.
- Determining what additional steps, if any, should be taken to fill gaps in CSP security. CSPs are often targeted by cybercriminals because they potentially hold data for thousands of companies. The guidance notes that a CSP would not be required to report a data breach to a customer if the breached information was encrypted ePHI. One tool a covered entity or business associate may utilize to minimize the security risk in sharing ePHI with CSPs is to only share encrypted data. Declining to provide CSPs a decryption key may further strengthen an entity’s protection, as hackers can also breach an encryption key in order to access cloud data. Additional assurances for the protection of ePHI can be required through a business associate agreement or service level agreement.
HHS declined to certify specific CSPs, technologies, or products as HIPAA-compliant, so entities must diligently review their CSP agreements and take any steps necessary to comply with the new guidance. The HHS Office of Civil Rights actively audits entities for HIPAA compliance and investigates reported incidents.