New guidance from the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) requires cloud service providers (CSP) that store patient information to be HIPAA compliant.
While CSPs have typically been treated as business associates when electronic protected health information (ePHI) is involved, there has never been any explicit requirements set fourth by HHS until now. The new guidance solidifies the fact that cloud service providers must now have a business associate agreement with covered entities and other business associates when ePHI is involved.
The new guidance also debunks some of the myths around CSPs not having to maintain HIPAA compliance, such as that they are only a ‘conduit’ of ePHI, and/or they do not have the ability to view or decrypt ePHI stored in their cloud. Those arguments (and others) are addressed directly in the guidance, and no longer exclude cloud providers from having to comply with HIPAA regulations. There is still a ‘conduit exception’, but it only applies to ‘transmission-only’ services, where the access to PHI is ‘transient’ in nature. ‘Cloud service providers’ as we know them, are unlikely to be affected by this exception.
These new regulations require that all cloud service providers that store ePHI on behalf of a covered entity (or business associate) must enter into a business associate agreement (BAA), regardless of any and all security or encryption measures already in place. Even in the best case scenario, where covered entities or business associates manage their own encryption keys (i.e. – the CSP does not have a decryption key, and therefor no access to patient data), the guidance clearly states that it “does not exempt a CSP from business associate status and associated obligations under the HIPAA Rules“.
In a nutshell, CSPs that store ePHI must maintain HIPAA compliance by:
- Entering into a Business Associate Agreement
- Performing a HIPAA Security Risk Analysis
- Complying with the HIPAA Privacy Rule
- Complying with the HIPAA Security Rule
- Complying with the Breach Notification Rule
In becoming a business associate, cloud service providers will be also either need to 1. make sure their current policies and agreements are in alignment with the guidance put forth by the HHS, or 2. change their current policies and agreements to make sure they fall within compliance requirements.
Some areas that may need to be addressed:
- CSP BAs are prohibited from restricting access to client’s ePHI data
Policies that lock users out of their accounts, or prevent them accessing their ePHI data under any circumstances must be updated.
- CSP BAs are required to report all breaches of unsecured PHI
Unsecured PHI is defined as PHI that has not been destroyed or encrypted (or not encrypted/destroyed to a secure enough standard).
- CSP BAs need to ensure all their business partners and sub-contractors are HIPAA compliant
Any entity that provides services such as data centers, backup, support, etc. must also adhere to the guidelines.
As you can see, the new guidance has far reaching implications. They will require cloud service providers that want to deal in PHI to have a close working relationship with their clients, especially in regards to the separation of security responsibilities. In the event of a breach, those decisions will ultimately determine who is liable and who pays the fines. They will require discussions and policy about what happens to PHI data if a client is unable to pay their CSP bill. There will need to be policies and procedures in place to prove that data wiped on a deleted account was performed according to regulation. The list goes on.
Truly complying with the HIPAA Privacy Rule, Security Rule, and Breach Notification rule can be a daunting process. Whether you are a business associate or cloud service provider, simply signing a Business Associate Agreement without fully understanding the implications could be financially disastrous and severely damaging to your reputation. And, always make sure you have a clear Service Level Agreement to address business expectations between the CSP and its customer.