The Department of Health and Human Services recently issued some much-needed guidance on how HIPAA applies when protected health information (“PHI”) is stored in the cloud. Some key highlights are below.
Cloud providers that store encrypted PHI, but have no ability to decrypt that PHI, are still business associates.
Cloud service providers (“CSPs”) and covered entities have previously debated whether CSPs are subject to HIPAA where they merely store or process encrypted PHI, but lack the decryption key to actually view that PHI. Reasonable minds may disagree, but HHS has settled the question in the affirmative, stating that “[l]acking an encryption key does not exempt a [cloud provider] from business associate status and obligations under the HIPAA Rules.” To mitigate the collective gasp from industry, HHS softened its stance by observing that HIPAA is “flexible and scalable to take into account the no-view nature of the services” provided.
For example, in such “no-view” arrangements, certain Security Rule requirements may be satisfied for both parties through the actions by one of the parties. If only the customer can control who can view the PHI, the customer may satisfy both its and the CSP’s access control responsibilities. HHS cautions, however, that CSPs may still be required to implement appropriate internal controls to prevent unauthorized access to administrative tools that would affect the operation of the CSP’s services or the integrity of the data maintained by the CSP. Significantly, HHS observed that where the business associate agreement (“BAA”) provides that the customer will control and implement certain features of the cloud service, and the customer fails to do so, OCR will consider this as an important and relevant factor in assessing compliance by both the customer and the CSP.
CSPs offering “no-view” services must still ensure that it uses and discloses encrypted information as permitted by the BAA and the Privacy Rule, or as otherwise required by law. This includes, for example, making PHI available to the customer so the customer can incorporate amendments pursuant to HIPAA.
HHS also stated that breaches of encrypted data may still be reportable by CSPs to customers, if the encryption does not meet HIPAA standards or the decryption key was also breached. What remains unclear, however, is the extent to which a CSP must confirm that its customer’s encryption met HIPAA standards.
Relief for CSPs that have no idea they are handling PHI.
HHS also recognized the challenges faced by many CSPs that merely offer a service and have no reason to know their customers are using the service to process or maintain PHI. HHS observes that HIPAA provides an affirmative defense, provided a CSP takes action to correct any non-compliance within 30 days (generally) of the time the CSP knew or should have known of the violation. HHS recommends that in these instances, CSPs should immediately come into compliance with HIPAA, securely return the PHI to the customer, or securely destroy the PHI. HHS further recommends that CSPs maintain documentation of such actions.
Contracts matter.
HHS affirmed that covered entities and business associates using cloud services to store or process PHI must enter into BAAs. The BAA should take into account the type of cloud computing environment or solution that will be provided by the cloud service provider. For example, BAAs governing public cloud-based services may call for different risk management provisions than those governing private cloud-based services. HHS further observed that cloud providers and customers may enter into service level agreements that cover HIPAA concerns such as (a) system availability and reliability; (b) back-up and data recovery; (c) data retrieval after termination; (d) security responsibility; and (e) use, retention, and disclosure limitations.
Other points covered by the Guidance.
The Guidance also covered other issues associated with cloud computing, including:
- CSPs are not “conduits,” even if they offer only “no-view” services;
- Business associates are responsible for reporting security incidents, though the level of detail, frequency, and format of the reports may vary;
- HIPAA does not require a business associate to maintain PHI beyond the time it provides services to a covered entity or business associate;
- Covered entities or business associates may use CSPs that store PHI on servers outside of the United States, though location should be considered in conducting a HIPAA-required risk analysis; and
- HIPAA does not mandate that business associates provide documentation or allow auditing of their security by customers, though customers are free to demand it.
In light of this guidance, CSPs and business associates using CSPs as subcontractors should consider evaluating their BAAs and practices related to the services provided pursuant to such agreements.