OCR issues new guidance on HIPAA and cloud computing

October 11, 2016

Health Care Alert

Author(s): Laurie T. Cohen

New guidance clarifies HIPAA issues when covered entities and business associates send ePHI into the “cloud.”

The Office for Civil Rights (OCR) continues to issue guidance to covered entities and business associates on discrete arrangements that implicate the HIPAA Privacy and Security Rules (HIPAA Rules). Most recently, OCR released guidance on “HIPAA and Cloud Computing” accompanied by a series of frequently asked questions (FAQs).

The guidance affirms that a covered entity (or business associate ) may engage a cloud service provider (CSP) to store electronic protected health information (ePHI) or to create, receive or transmit ePHI on the covered entity’s (or business associate’s) behalf provided that the parties enter into a HIPAA-compliant business associate agreement. OCR cautions, however, that “a covered entity (or business associate) that engages a CSP should understand the cloud computing environment or solution offered by a particular CSP so that the covered entity (or business associate) can appropriately conduct its own risk analysis and establish risk management policies . . ..”

OCR also clarifies that a CSP storing or maintaining encrypted ePHI on behalf of a covered entity or on behalf of a business associate is itself a business associate. This is the case, even when the CSP does not have access to the decryption key and cannot actually view the ePHI. OCR asserts that, although encryption may protect ePHI from being viewed in an unauthorized manner, such protections do not adequately safeguard the integrity and availability of ePHI as required by the Security Rule. Most notably, encryption does not ensure that the information cannot be corrupted by malware, nor does it ensure that the ePHI remains available to authorized persons.

Also of note, OCR recognizes that “a CSP may not have actual or constructive knowledge that a covered entity or another business associate is using its services to create, receive, maintain[] or transmit ePHI.” OCR explains that “if a CSP becomes aware that it is maintaining ePHI, it must come into compliance with the HIPAA Rules, or securely return the ePHI to the customer or, if agreed to by the customer, securely destroy the ePHI.” A CSP is at risk of violating the HIPAA Rules if it fails to take steps to become compliant once it learns that its service is being used to create, receive, maintain or transmit ePHI. Although the HIPAA Rules provide an affirmative defense in cases where a CSP is unaware that a covered entity or business associate customer is maintaining ePHI in its cloud, such defense is not available if the CSP’s lack of awareness is the result of its own willful neglect.

The guidance and the full text of the FAQs can be found here.

The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.

Back to top