September 21, 2020

Volume X, Number 265

September 21, 2020

Subscribe to Latest Legal News and Analysis

September 18, 2020

Subscribe to Latest Legal News and Analysis

Office for Civil Rights Provides New BA Guidance to Cloud Providers

In the past year, the Department of Health and Human Services, Office for Civil Rights (OCR) has issued a number of guidance documents to clarify its interpretation of key requirements set forth in the HIPAA Privacy and Security Rules (45 C.F.R. Part 160, 162, and 164) (collectively, the HIPAA Rules). Its latest guidance clarifies OCR’s position on cloud service providers (CSPs) as business associates (the Cloud Guidance), and the related requirements under the HIPAA Rules through a series of FAQs. Importantly, the Cloud Guidance applies to all CSPs equally, regardless of the level of functionality or services provided (e.g., the provision of an electronic medical record system on the cloud, versus limited application hosting).

OCR kicked off the Cloud Guidance by clarifying its position on an issue that Covered Entities and CSPs have continued to debate for quite some time - whether a CSP is a business associate if the Protected Health Information (PHI) that is stored in its cloud is encrypted and the CSP does not possess the encryption key.

Encryption Does Not Exempt CSPs from Business Associate Obligations

According to OCR, if a CSP creates, receives, maintains, or transmits electronic PHI (ePHI), e.g., to process or store it, on behalf of a Covered Entity or a Business Associate, then the CSP meets the definition of a “Business Associate” under the HIPAA Rules even if the ePHI is encrypted and the CSP does not possess the encryption key. In an FAQ, OCR further clarifies that performing services that do not allow for actual access or viewing of ePHI (“no-view services”), does not allow an organization to circumvent the Business Associate requirements – rather, maintaining ePHI on behalf of a Covered Entity in and of itself qualifies a CSP as a Business Associate. OCR’s rationale for this position is that even though encryption protects against the inappropriate viewing or access to ePHI, it does not necessarily maintain the ePHI’s integrity and availability, such as by protecting it from being corrupted by malware, or ensuring that it remains available even during emergency situations, which is required for compliance with the HIPAA Security Rule.  

OCR provided additional guidance on the “no-view services” arrangements with CSPs and the Security Rule implications. Specifically, OCR noted that while such CSPs remain responsible under the Security Rule for implementing and maintaining reasonable and appropriate controls to limit access to its information systems that maintain ePHI, given that “no-view services” CSPs do not possess the key to unlock encrypted PHI, certain Security Rule requirements may be satisfied for both a Covered Entity and a CSP by the actions of the Covered Entity. OCR provided the following example:

[I]f a customer implements its own reasonable and appropriate user authentication controls and agrees that the CSP providing no-view services need not implement additional procedures to authenticate (verify the identity of) a person or entity seeking access to ePHI, these Security Rule access control responsibilities would be met for both parties by the action of the customer.

In this regard, OCR also noted that a CSP is not responsible for compliance failures that are the result of actions or inactions of its Covered Entity (or Business Associate) customers and for which the parties had agreed that the CSP was not responsible. OCR also shed light upon the Privacy Rule requirement of CSPs performing “no-view services.” Like any other Business Associate, a CSP is prohibited from using or disclosing encrypted PHI unless the use or disclosure is permitted by the BAA and the Privacy Rule. For example, blocking the Covered Entity or Business Associate customer from accessing the ePHI is not a permitted use under the HIPAA Rules – thus, a CSP could not use PHI in this manner without running afoul of its BAA and the HIPAA Rules.  

CSPs Are Not “Mere Conduits” if They Store or Retain PHI

In another FAQ, OCR also addresses whether a CSP can be viewed as a “mere conduit,” which would exempt the CSP from the HIPAA Rules governing Business Associates. OCR reiterated its longstanding position and emphasized that the conduit exception is an extremely narrow one. A CSP will only be considered a conduit if the services it provides are transmission-only services and do not involve any storage or retention of PHI – beyond that which is temporarily necessary for its performance of the transmission services. To the extent a CSP provides both storage and transmission services, its Business Associate obligations will apply to both service-lines, not just the storage services.

Downstream CSPs Are Business Associates Even If They Don’t Know It

CSPs have expressed concerns that they may not know that they are providing services to a Business Associate or other downstream subcontractors, if they are not asked to enter into a Business Associate Agreement (BAA). OCR affirmed that if a CSP provides services such that it meets the definition of a Business Associate, then despite not having executed a BAA, the CSP is still liable as a Business Associate. However, OCR acknowledged that there may be situations where a CSP does not have “actual or constructive knowledge that a covered entity or another business associate is using its services to create, receive, maintain, or transmit ePHI.”   
According to OCR, upon discovery of this circumstance, the CSP should correct its HIPAA non-compliance (by fully complying with all applicable HIPAA Rules or securely returning or destroying any ePHI within its possession) within 30 days in order to take advantage of the affirmative defense that HIPAA provides which permits Covered Entities or Business Associates to correct non-compliance during such timeframe (which begins on the date that they knew or should have known about a violation). OCR indicated that it could extend the 30 days by a time period it determines appropriate based on the nature and extent of the non-compliance.  However, OCR also emphasized that a CSP cannot rely on this affirmative defense if its lack of knowledge was due to the CSP’s own willful neglect. It is highly recommended that if a CSP finds itself in this position, it thoroughly document the circumstances and all actions taken to achieve compliance with the HIPAA Rules or to securely return or destroy the ePHI.

Unique Cloud Security Issues: Audits, Offshoring, and Maintenance of ePHI

Audit Obligations: In light of highly publicized vendor breaches, Covered Entities (and Business Associates related to their Subcontractors) have begun questioning whether OCR expects them to audit their Business Associates. OCR confirmed  that its position is that the HIPAA Rules simply require Covered Entities and Business Associates to obtain satisfactory assurances from their contractors and vendors in the form of a BAA and that the HIPAA Rules do not require audits of such entities.   

Offshoring:  CSPs often maintain data in servers outside the U.S. and, as a result, this “offshoring” of PHI triggers concerns related to security and enforcement. According to OCR, the HIPAA Rules do not specifically prohibit or even address offshoring. However, OCR emphasized that storage and processing of PHI outside of the U.S. may increase the risks and vulnerabilities to the data or may create issues of enforceability of the BAA, all of which must be addressed by the contracting parties, including CSPs, as part of their HIPAA Security Rule risk analysis and risk management plan obligations. 

Maintenance of ePHI: Just as is the case for other Business Associates, a CSP is not required to maintain ePHI beyond the time it provides services to a Covered Entity or Business Associate. In fact, the BAA that is required to be in place by the HIPAA Privacy Rule must require that the CSP return or destroy the ePHI at the termination of the BAA (which generally occurs upon termination of the provision of services), and if destruction or return is not feasible, the CSP must extend the privacy and security protections of the BAA to the ePHI that it retains and limit its further uses and disclosures to the purposes that make the return or destruction infeasible.

Other Key Points

  • Underlying agreements with CSPs typically include Service Level Agreements or SLAs, which frequently contain provisions that impact HIPAA compliance such as system availability/reliability, data back-up and recovery, responsibility for security and return of data after termination of the SLA. OCR cautioned that such SLAs should be consistent with both the BAA that the CSP executes, as well as the HIPAA Rules, and OCR emphasized that an SLA cannot prevent a Covered Entity from accessing its own PHI. Agreeing to SLA terms that violate the HIPAA Rules will create compliance issues for the Covered Entity (or the Business Associate in a Subcontractor relationship).  

  • A CSP must implement policies and procedures in conformity with the Security Rule and the Breach Notification Rule to document security incidents to its Covered Entity and Business Associate customers.

  • OCR does not endorse, certify or recommend specific technology or products for HIPAA-compliant cloud services.  

  • Covered Entities and Business Associates can use mobile devices to access ePHI stored in a cloud by a CSP in the same way that would apply to a non-cloud arrangement, i.e., the parties must have the appropriate BAA in place requiring the CSP to implement and maintain appropriate physical, administrative, and technical safeguards to protect the confidentiality, integrity, and availability of the ePHI on the mobile device and in the cloud. 

© Polsinelli PC, Polsinelli LLP in CaliforniaNational Law Review, Volume VI, Number 288

TRENDING LEGAL ANALYSIS


About this Author

Lisa J. Acevedo, Polsinelli, HIPAA Compliance Lawyer, Health Privacy Matters Attorney
Shareholder

Lisa Acevedo provides strategic counsel in the areas of federal health privacy laws, including HIPAA, as amended by the HITECH Act, FERPA, the Confidentiality of Alcohol and Drug Abuse Treatment Records Regulation, as well as state laws governing the confidentiality of health information, medical records, mental health records, and records containing other highly sensitive information. She has assisted clients through security breaches and the notification process, both at the federal and state levels.   

She guides clients through the...

312.463.6322
Daniel L. Farris, Polcinelli PC, fiber optic networking Lawyer, data center operations attorney, Chicago
Associate

As a former software engineer and network administrator in the telecommunications industry, Daniel offers his clients real-world experience in fiber optic networking, data center operations, cloud computing, mobile app development, and data privacy and security matters.  His practice is founded upon understanding how technology can strengthen and expand the core mission of his clients’ businesses.

312.463.6323
Erin Fleming Dunlap, Polsinelli, Compliance Matters Attorney, Health Insurance Portability Lawyer,
Shareholder

Erin Dunlap is proactive and quick to respond to clients' needs. She regularly advises health care clients on legal and regulatory compliance matters. She also has a litigation background that enables her to assist clients when things do not go as planned, such as when a laptop containing patient information is stolen, a patient threatens to sue for improper disclosure, or law enforcement demands the production of medical records. 

Erin focuses primarily on privacy and security issues arising under:

  • Health...

314.622.6661
Associate

In a regulatory environment where even the most minor details matter, Rebecca Frigy Romine thrives on helping clients find practical and creative solutions and action plans.

Her practice focuses on many facets of the general health care business with a specific emphasis on the privacy and security of health information and medical staff issues.

Rebecca has significant experience in and frequently writes on these topics and remains abreast of regulatory changes and best practice.

314-889-7013
Associate

Katie Kenney specializes in HIPAA/HITECH issues and delivers particular strength in privacy, security, and breach regulatory issues for covered entities and business associates.  Prior to joining the firm, Katie worked for the U.S. Department of Health and Human Services, Office for Civil Rights (OCR).  At OCR, she served as the subject matter expert for breach notification, assisted in the administrative rulemaking process, drafted Preamble language for the recently published Omnibus Rule amending HIPAA, and actively participated on OCR’s audit team.  Katie’s time at...

312-463-6380