Cloud storage and computing are being widely adopted by businesses across many fields, including those classified as Covered Entities and Business Associates under the Health Insurance Portability and Accountability Act (HIPAA). With such a significant modernization, how are the HIPAA obligations of these entities affected when using a Cloud Service Provider (CSP)? The Office for Civil Rights (OCR) recently released guidance for Covered Entities and Business Associates with respect to how relationships with CSPs must be governed.
A HIPAA regulated entity’s engagement of a CSP does not release, or in any way alter, the entity’s HIPAA obligations. If an entity or individual is classified as a Covered Entity or Business Associate, the entity must afford appropriate protection to Protected Health Information (PHI) consistent with HIPAA regulations, irrespective of where the PHI is stored. Moreover, in addition to the responsibilities of entities engaging the CSP, the CSP itself will be considered a Business Associate in the capacity in which it maintains PHI on behalf of its customer.
Many Covered Entities and Business Associates may understand in theory that their CSP is a Business Associate, but may fail to hold the CSP to the same standards it would another contractor. This may be the result of the CSP’s hosting structure, such as assurances that data will be randomized, not accessed, or encrypted. Nevertheless, a CSP’s inability to access the PHI it stores does not negate its duty as a Business Associate to protect that PHI. By definition, maintaining PHI on its hosted system in and of itself renders the CSP a Business Associate. Therefore, Covered Entities and Business Associates must ensure that any CSP hosting PHI enter a compliant Business Associate Agreement (BAA), protecting the Covered Entity or Business Associate’s PHI on behalf of the patient to whom it belongs. Any HIPAA regulated entity that does not execute a BAA with a CSP hosting its PHI will be considered to be in violation of HIPAA regulations. CSPs must also be aware that even in the absence of a required BAA, the CSP hosting PHI will still be directly liable for maintaining compliance with HIPAA, as the requirements of HIPAA are enforceable upon the CSP. The CSP’s function of maintaining PHI on behalf of its Covered Entity or Business Associate customer renders it a Business Associate, and thusly HIPAA regulations are applied directly to the CSP.
Additionally, Covered Entities and Business Associates must be sure to include an assessment of the risks associated with the use of CSPs in the entity’s mandatory risk analysis and risk management plan.
If you or your practice require assistance in analyzing whether a CSP may be classified as a Business Associate, structuring an agreeable but compliant Business Associate Agreement, or preparing a risk analysis as required by HIPAA, contact Frier Levitt.
