The advent of cloud computing has raised questions about how companies subject to HIPAA can take advantage of the technology while still complying with their privacy and security obligations under federal law.  In response, the Department of Health & Human Services’ Office of Civil Rights recently released guidelines to assist HIPAA covered entities, their business associates, and cloud services providers (“CSPs”) in understanding their obligations in processing and maintaining electronic protected health information (“ePHI”).

By way of background, HIPAA protects individuals’ health information by establishing individuals’ rights with respect to such information and limiting the disclosure or use of health information.  HIPAA restrictions apply not only to a “covered entity” (such as a health plan, clearinghouse, or healthcare provider), but also to “business associates” of a covered entity.  The statute defines a business associate to include any entity or person (other than a member of the workforce of a covered entity) that performs functions or activities on behalf of, or provides certain services to, a covered entity that involve creating, receiving, maintaining, or transmitting protected health information.

The guidelines establish that a covered entity or business associate may use a cloud service to store or process ePHI.  But when a covered entity or business associate engages a CSP to create, receive, maintain, or transmit ePHI, the CSP itself becomes a business associate under HIPAA.  The guidelines provide that a CSP cannot avoid becoming a business associate by only storing encrypted ePHI and not retaining the decryption key (so-called “no-view services”).  Even when the CSP provides no-view services, it still is considered a business associate under HIPAA.

Although a CSP is not exempt just because it provides no-view services, the guidelines explain that the HIPAA rules are “flexible and scalable to take into account the no-view nature of the services provided by the CSP.”  For instance, if a CSP is providing only no-view services, some requirements under the HIPAA Security Rule, such as authentication or unique user identification, may be satisfied so long as one side of the transaction (either the covered entity/business associate or the CSP) is in compliance.  But the Breach Notification Rule is not affected by the type of services the CSP provides.  Even if a CSP offers only no-view services, it still must comply with the HIPAA breach notification requirements that apply to business associates.

The guidelines stress that any covered entity or business associate that hires a CSP to perform services relating to ePHI must enter into a HIPAA-compliant business associate agreement (“BAA”).  Failure to do so is a violation of HIPAA rules.  The business associate agreement imposes contractual liability in addition to the CSP’s direct responsibility for complying with HIPAA.  That means that when contracting with a covered entity or business associate, the CSP is directly liable under HIPAA rules if it uses or discloses protected health information not authorized by the contract, required by law, or permitted by the HIPAA Privacy Rule.

The guidelines suggest that a service level agreement (“SLA”) may be used to address more specific business expectations between the CSP and the covered entity or business associate such as system availability and reliability, back-up and data recovery, the return of data to customers following termination of the cloud services, responsibility for security, and limitations on the use disclosure of information.

The guidelines also provide that a covered entity or business associate that engages a CSP must understand the cloud computing environment to facilitate an appropriate risk analysis and to establish risk management policies to protect ePHI.  Similarly, CSPs that provide cloud computing services to covered entities or business associates also should assess their own compliance with the HIPAA requirements.