OCR Issues Guidance on HIPAA and Cloud Computing

Bruce Armon
Saul Ewing LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Saul Ewing LLP

Summary

On October 7, 2016, the U.S. Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”), released a guidance document (the “Guidance”) on the HIPAA-compliant use of cloud computing technologies.  The Guidance includes “frequently asked” questions and answers for covered entities and business associates who use cloud products and services.

The Guidance focuses on cloud computing services provided by third-party cloud services providers (“CSPs”).  The Guidance notes that “CSPs generally offer online access to shared computing resources with varying levels of functionality depending on users’ requirements.” 

The Guidance makes clear that when a covered entity engages a CSP to create, receive, maintain or transmit electronic protected health information (“ePHI”) on its behalf, the CSP is a business associate of the covered entity.  In addition, the Guidance states that when a business associate subcontracts with a CSP to create, receive, maintain or transmit ePHI, the CSP subcontractor is a business associate.  A CSP will rarely qualify for the “conduit exception” (an exemption from business associate status), which exception is limited to transmission services for PHI (whether in electronic or paper form), including any temporary storage of PHI incident to such transmission.

The Guidance document includes 11 FAQs.

One Guidance FAQ further clarifies that a CSP is a business associate even if the CSP stores only encrypted ePHI and does not have a decryption key.  Another FAQ specifically affirms the necessity of a covered entity (or business associate) executing a business associate agreement with the CSP it uses to maintain ePHI.  The OCR reminded covered entities and business associates of a previous OCR resolution agreement and corrective action plan that resulted from a covered entity’s failure to execute a business associate agreement with a CSP that stored ePHI of more than 3,000 individuals on a cloud-based server. 

With respect to compliance with the HIPAA Security Rule, the Guidance emphasizes the importance of the covered entity or business associate understanding the cloud environment or cloud computing service provided by the CSP, so that the covered entity or business associate can appropriately conduct its risk analyses and prepare a risk management plan.  The covered entity (or business associate) and the CSP are each responsible for their respective HIPAA compliance.

The final FAQ in the Guidance clarifies that a CSP that receives and maintains only information that has been de-identified in accordance with the HIPAA Privacy Rule is not a business associate because, by definition, de-identified information is not PHI.

CSPs are becoming increasingly common vendors for covered entities and business associates.  The Guidance is useful in clarifying the role of CSPs and the importance of HIPAA compliance when participating in a commercial relationship with a CSP. 

 

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Saul Ewing LLP | Attorney Advertising

Written by:

Saul Ewing LLP
Saul Ewing LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Saul Ewing LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide