OCR Provides New BA Guidance to Cloud Providers

By Lisa J. AcevedoLisa S. Katz, Rebecca Frigy Romine, Kathleen D. Kenney, and Lindsay R. Dailey, and Erin Fleming Dunlap

In the past year, the Department of Health and Human Services, Office for Civil Rights (OCR) has issued a number of guidance documents* to clarify its interpretation of key requirements set forth in the HIPAA Privacy and Security Rules (45 C.F.R. Part 160, 162, and 164) (collectively, the HIPAA Rules). Its latest guidance clarifies OCR’s position on cloud service providers (CSPs) as business associates (the Cloud Guidance), and the related requirements under the HIPAA Rules through a series of FAQs. Importantly, the Cloud Guidance applies to all CSPs equally, regardless of the level of functionality or services provided (e.g., the provision of an electronic medical record system on the cloud, versus limited application hosting).

OCR kicked off the Cloud Guidance by clarifying its position on an issue that Covered Entities and CSPs have continued to debate for quite some time - whether a CSP is a business associate if the Protected Health Information (PHI) that is stored in its cloud is encrypted and the CSP does not possess the encryption key.

Encryption Does Not Exempt CSPs from Business Associate Obligations

According to OCR, if a CSP creates, receives, maintains, or transmits electronic PHI (ePHI), e.g., to process or store it, on behalf of a Covered Entity or a Business Associate, then the CSP meets the definition of a “Business Associate” under the HIPAA Rules even if the ePHI is encrypted and the CSP does not possess the encryption key. In an FAQ, OCR further clarifies that performing services that do not allow for actual access or viewing of ePHI (“no-view services”), does not allow an organization to circumvent the Business Associate requirements – rather, maintaining ePHI on behalf of a Covered Entity in and of itself qualifies a CSP as a Business Associate. OCR’s rationale for this position is that even though encryption protects against the inappropriate viewing or access to ePHI, it does not necessarily maintain the ePHI’s integrity and availability, such as by protecting it from being corrupted by malware, or ensuring that it remains available even during emergency situations, which is required for compliance with the HIPAA Security Rule.  

OCR provided additional guidance on the “no-view services” arrangements with CSPs and the Security Rule implications. Specifically, OCR noted that while such CSPs remain responsible under the Security Rule for implementing and maintaining reasonable and appropriate controls to limit access to its information systems that maintain ePHI, given that “no-view services” CSPs do not possess the key to unlock encrypted PHI, certain Security Rule requirements may be satisfied for both a Covered Entity and a CSP by the actions of the Covered Entity. OCR provided the following example:

[I]f a customer implements its own reasonable and appropriate user authentication controls and agrees that the CSP providing no-view services need not implement additional procedures to authenticate (verify the identity of) a person or entity seeking access to ePHI, these Security Rule access control responsibilities would be met for both parties by the action of the customer.

In this regard, OCR also noted that a CSP is not responsible for compliance failures that are the result of actions or inactions of its Covered Entity (or Business Associate) customers and for which the parties had agreed that the CSP was not responsible. OCR also shed light upon the Privacy Rule requirement of CSPs performing “no-view services.” Like any other Business Associate, a CSP is prohibited from using or disclosing encrypted PHI unless the use or disclosure is permitted by the BAA and the Privacy Rule. For example, blocking the Covered Entity or Business Associate customer from accessing the ePHI is not a permitted use under the HIPAA Rules – thus, a CSP could not use PHI in this manner without running afoul of its BAA and the HIPAA Rules.  

CSPs Are Not “Mere Conduits” if They Store or Retain PHI

In another FAQ, OCR also addresses whether a CSP can be viewed as a “mere conduit,” which would exempt the CSP from the HIPAA Rules governing Business Associates.** OCR reiterated its longstanding position and emphasized that the conduit exception is an extremely narrow one. A CSP will only be considered a conduit if the services it provides are transmission-only services and do not involve any storage or retention of PHI – beyond that which is temporarily necessary for its performance of the transmission services. To the extent a CSP provides both storage and transmission services, its Business Associate obligations will apply to both service-lines, not just the storage services.

Downstream CSPs Are Business Associates Even If They Don’t Know It

CSPs have expressed concerns that they may not know that they are providing services to a Business Associate or other downstream subcontractors, if they are not asked to enter into a Business Associate Agreement (BAA). OCR affirmed that if a CSP provides services such that it meets the definition of a Business Associate, then despite not having executed a BAA, the CSP is still liable as a Business Associate. However, OCR acknowledged that there may be situations where a CSP does not have “actual or constructive knowledge that a covered entity or another business associate is using its services to create, receive, maintain, or transmit ePHI.”   
According to OCR, upon discovery of this circumstance, the CSP should correct its HIPAA non-compliance (by fully complying with all applicable HIPAA Rules or securely returning or destroying any ePHI within its possession) within 30 days in order to take advantage of the affirmative defense that HIPAA provides which permits Covered Entities or Business Associates to correct non-compliance during such timeframe (which begins on the date that they knew or should have known about a violation). OCR indicated that it could extend the 30 days by a time period it determines appropriate based on the nature and extent of the non-compliance.  However, OCR also emphasized that a CSP cannot rely on this affirmative defense if its lack of knowledge was due to the CSP’s own willful neglect. It is highly recommended that if a CSP finds itself in this position, it thoroughly document the circumstances and all actions taken to achieve compliance with the HIPAA Rules or to securely return or destroy the ePHI.

Unique Cloud Security Issues: Audits, Offshoring, and Maintenance of ePHI

Audit Obligations: In light of highly publicized vendor breaches, Covered Entities (and Business Associates related to their Subcontractors) have begun questioning whether OCR expects them to audit their Business Associates. OCR confirmed  that its position is that the HIPAA Rules simply require Covered Entities and Business Associates to obtain satisfactory assurances from their contractors and vendors in the form of a BAA and that the HIPAA Rules do not require audits of such entities.   

Offshoring:  CSPs often maintain data in servers outside the U.S. and, as a result, this “offshoring” of PHI triggers concerns related to security and enforcement. According to OCR, the HIPAA Rules do not specifically prohibit or even address offshoring. However, OCR emphasized that storage and processing of PHI outside of the U.S. may increase the risks and vulnerabilities to the data or may create issues of enforceability of the BAA, all of which must be addressed by the contracting parties, including CSPs, as part of their HIPAA Security Rule risk analysis and risk management plan obligations. 

Maintenance of ePHI: Just as is the case for other Business Associates, a CSP is not required to maintain ePHI beyond the time it provides services to a Covered Entity or Business Associate. In fact, the BAA that is required to be in place by the HIPAA Privacy Rule must require that the CSP return or destroy the ePHI at the termination of the BAA (which generally occurs upon termination of the provision of services), and if destruction or return is not feasible, the CSP must extend the privacy and security protections of the BAA to the ePHI that it retains and limit its further uses and disclosures to the purposes that make the return or destruction infeasible.

Other Key Points

  • Underlying agreements with CSPs typically include Service Level Agreements or SLAs, which frequently contain provisions that impact HIPAA compliance such as system availability/reliability, data back-up and recovery, responsibility for security and return of data after termination of the SLA. OCR cautioned that such SLAs should be consistent with both the BAA that the CSP executes, as well as the HIPAA Rules, and OCR emphasized that an SLA cannot prevent a Covered Entity from accessing its own PHI. Agreeing to SLA terms that violate the HIPAA Rules will create compliance issues for the Covered Entity (or the Business Associate in a Subcontractor relationship).  
  • A CSP must implement policies and procedures in conformity with the Security Rule and the Breach Notification Rule to document security incidents to its Covered Entity and Business Associate customers.
  • OCR does not endorse, certify or recommend specific technology or products for HIPAA-compliant cloud services.  
  • Covered Entities and Business Associates can use mobile devices to access ePHI stored in a cloud by a CSP in the same way that would apply to a non-cloud arrangement, i.e., the parties must have the appropriate BAA in place requiring the CSP to implement and maintain appropriate physical, administrative, and technical safeguards to protect the confidentiality, integrity, and availability of the ePHI on the mobile device and in the cloud. 

 

*See, e.g., OCR Guidance on Ransomware July 11, 2016 available here; and OCR Guidance for Long Term Care Facilities on May 2016 available here.

**See OCR’s analysis of the “conduit” exemption at 78 Fed. Reg. 5565, 5571 (January 25, 2013).