<div dir="ltr"><a href="http://www.hldataprotection.com/2016/10/articles/health-privacy-hipaa/new-hhs-guidance-makes-clear-hipaa-applies-in-the-cloud/">http://www.hldataprotection.com/2016/10/articles/health-privacy-hipaa/new-hhs-guidance-makes-clear-hipaa-applies-in-the-cloud/</a><br><br>Cloud service providers are on notice: you are HIPAA business
associates, even if you are unable to access the HIPAA protected
information in your cloud. The Department of Health and Human Services
(HHS) Office for Civil Rights (OCR) released guidance making clear that
cloud service providers (CSPs) that create, receive, maintain, or
transmit electronic protected health information (PHI) are covered by
HIPAA.
<p><span id="gmail-more-9269"></span></p>
<p>The guidance is notable for its broad scope. Whether a CSP offers a
simple cloud storage solution or a complex interactive application for
managing electronic medical records, it should consider whether its
business maintains PHI. If it does, it will need to enter into business
associate agreements (BAAs) and implement an effective HIPAA compliance
program. Likewise, HIPAA covered entities (CEs) must determine whether
the services provided to them by CSPs give rise to HIPAA obligations.
OCR’s latest guidance clarifies how and when HIPAA applies in the cloud
service context.</p>
<p><strong><em>Cloud Service Providers are Business Associates</em></strong></p>
<ul><li><em>HIPAA rules apply even if a CSP cannot access the PHI that it stores.</em>
HIPAA applies even if the CSP has no access to the ePHI it holds.
These “no-view services,” in which a CSP stores encrypted information on
behalf of a covered entity or business associate and does not have the
encryption key, trigger the need for a BAA. Even where the data owner
is the sole party with access to the information, CSPs are not exempt
from their HIPAA obligations as a business associate. The HIPAA
obligations are scalable and may be shared with customers.</li><li><em>The conduit exception does not apply.</em> The guidance
emphasizes that CSPs typically do not qualify for the HIPAA “conduit
exception.” That exception applies only to entities providing
transmission services, and a CSP that stores PHI, even if a “no-view
service,” would not be considered a conduit.</li><li><em>Mobile devices are within scope.</em> CSPs providing services
that function with mobile devices such as phones or tablets are
covered. BAAs must be in place with any CSPs that are storing or will
have access to the PHI. OCR previously released separate <a href="http://www.hldataprotection.com/2016/02/articles/health-privacy-hipaa/ocr-releases-mhealth-guidance-for-app-developers/">guidance</a> on using and securing PHI on mobile devices that complements the cloud computing guidance.</li></ul>
<p><strong><em>Key HIPAA Compliance Obligations for Cloud Service Providers</em></strong></p>
<p>CSPs will need to enter into BAAs and comply with the HIPAA Security
rule and parts of the HIPAA privacy regulations. Key compliance
obligations include:</p>
<ul><li>report any security incidents or breaches of unsecured PHI of which
they become aware to their customers, with limited exception;</li><li>return or destroy any PHI in their possession at the end of the effective term of a BAA, where feasible; and</li><li>consistent with the governing BAA, make PHI available as necessary
for the CE to meet its obligations to provide individuals with their
rights to access, amend, and receive an accounting of disclosures of
PHI.</li></ul>
<p>If a CSP does not know that a customer is storing PHI in its cloud,
an affirmative defense to allegations of a HIPAA violation is available,
provided that the CSP takes corrective action essentially at the time
that it knows or should know that it is storing the PHI.</p>
<p><strong><em>HIPAA Obligations in the Cloud Environment Can Vary and Should be Addressed in Contracts</em></strong></p>
<ul><li>CSPs storing PHI should execute business associate contracts with
customers. Note, however, that even if a BAA is not in place, CSPs
storing PHI are required to comply with all applicable provisions of the
HIPAA rules.</li><li>The CSP and its customer are independently responsible for HIPAA
compliance. HHS recognizes that in some cases, requiring more than one
party to implement the same safeguards would be redundant. Organizations
can contract to share responsibility for implementing certain Security
Rule obligations.</li><li>Requests for assurance of protections for PHI beyond what is
expressly required in the HIPAA regulations are increasingly common.
Customers may request documentation of security protections, audit
rights, or other information related to security practices. These
requests and related contractual provisions are permitted provided that
their terms are consistent with both entities’ HIPAA obligations.</li><li>The use of CSPs outside the United States is not prohibited by
HIPAA. That said, the risks to PHI can vary depending on their
geographic location and outsourcing overseas can increase the risks and
vulnerabilities in ways that call for additional contractual
protections. Such risks need to be accounted for in the security risk
analysis and risk management plans required by the HIPAA Security Rule.</li></ul>
<p><em><strong>How should entities respond to the guidance?</strong></em></p>
<p>HIPAA regulated entities using or providing cloud-based services should:</p>
<ul><li>Evaluate the services and identify when BAAs are required.</li><li>Enter into a BAA as appropriate. OCR has made compliant BAAs an
enforcement priority, recently assessing a financial penalty of
$2,700,000 and entering into <a href="http://www.hhs.gov/about/news/2016/07/18/widespread-hipaa-vulnerabilities-result-in-settlement-with-oregon-health-science-university.html">a resolution agreement and corrective action plan</a>
with Oregon Health & Science University for allegedly storing the
PHI of more than 3,000 individuals on a cloud-based server without
entering into a BAA.</li><li>Conduct risk analyses and establish risk management activities in connection with the use or provision of the service.</li></ul><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><br></div></div></div></div></div></div></div></div></div>
</div>