Is a Cloud Vendor a Business Associate?
Before a covered entity can use cloud storage for ePHI, the covered entity must enter into a business associate agreement (BAA) with the cloud vendor.1 It seems that there is some uncertainty surrounding this requirement, with some cloud vendors taking the position that a BAA is unnecessary for passive storage of ePHI or that they qualify for an exception under HITECH Act as a personal health records vendor.
HIPAA defines a business associate as anyone that performs on behalf of a covered entity a function or activity regulated under HIPAA privacy and security regulations.2 HIPAA regulates a covered entity’s passive storage of ePHI by imposing on the covered entity strict requirements to ensure the confidentiality, integrity and availability of ePHI maintained by the covered entity.3 Because HIPAA regulates a covered entity’s passive storage of ePHI, disclosure of ePHI by the covered entity to a cloud vendor for the purpose of storing the ePHI makes the vendor a business associate.4 Because the cloud vendor is a business associate, a BAA is required prior to the vendor assuming responsibility for the ePHI.5
The Health and Human Services (HHS) Office of Civil Rights (OCR) enforces HIPAA’s Privacy Rule and Security Rule.6 During a speech at the Health Care Compliance Association’s 16th Annual Compliance Institute, OCR’s David Holtzman, Information Privacy Division, said “[i]f you use a cloud service, it should be your business associate. If they refuse to sign a business associate agreement, don’t use the cloud service.”
Selecting a Cloud Vendor.
From a compliance perspective, the most important consideration when establishing an ePHI storage arrangement with a cloud vendor is to negotiate and execute a HIPAA-compliant BAA with the vendor. HITECH imposes certain security and privacy requirements directly on business associates, but BAAs are still required for a covered entity to discharge its HIPAA obligations with respect to ePHI disclosed to a cloud vendor.7 As with any other business associate arrangement, the business associate will be directly and contractually obligated to comply with applicable provisions of HIPAA and HITECH regulations, including implementing and maintaining appropriate safeguards, protecting the confidentiality of ePHI and providing notification to the covered entity in the event of a breach.
Other considerations when selecting a cloud vendor include, confirming the rigor of authentication protocols imposed by the cloud vendor, confirming that the vendor adequately ensures data is and remains segregated from other data in the shared cloud and confirming that the form and format of ePHI delivered to and from the cloud vendor is compatible with the covered entity’s needs.
Another important consideration is the level of encryption offered by the cloud vendor for ePHI stored in the cloud as well as ePHI transferred between the provider and cloud vendor. HITECH breach notification requirements apply to a breach of unsecured ePHI transferring to and from, and stored in the cloud.8 Unsecured ePHI means that the ePHI is not encrypted to make the information unusable to unauthorized individuals.9 Ensuring adequate encryption for ePHI transferred to and from, and stored with a cloud vendor significantly reduces the potential for liability associated with a required breach notification.
In summary, “cloud computing” can offer significant advantages for health care providers and related health care entities, but covered entities and their cloud vendor business associates must be mindful that the same HIPAA and HITECH requirements apply “in the cloud.”
1 45 C.F.R. § 160.103
2 45 C.F.R. § 160.103.
3 45 C.F.R. §§ 164.302, 164.306 and 164.502.
4 45 C.F.R. § 164.103.
5 45 C.F.R. § 164.502(e)(2).
6 The Secretary of HHS delegated authority for administration and enforcement of the Security Rule from CMS to OCR on July 27, 2009.
7 45 C.F.R. § 164.502(e)(2); HITECH Act, Pub. L. 111-5 §§ 13401, 13404.
8 45 C.F.R. § 164.404.
9 45 C.F.R. § 164.402.