Health and Human Services’ Office for Civil Rights (“HHS”) issued new guidance this weekend concerning cloud storage. Bottom line: If you are a covered entity (“CE”) that stores or transmits electronic protected health information (“ePHI”) in the cloud, you must have a Business Associate Agreement (“BAA”) with your cloud service provider (“CSP”) that meets very specific criteria.

The consequences of not having one are harsh. In July 2016, Oregon Health & Science University in Portland settled for 2.7 million with HHS when an investigation subsequent to a data breach showed it had stored ePHI on a Google-based cloud platform but did not have a service level agreement (“SLA”) or BAA to do so.

Here are the basics:

CSPs who store ePHI are BAAs. CE must have a BAA with the CSP…period. The CSP must establish HIPAA-compliant protections, limitations, and safeguards on how it uses and discloses ePHI.

If a BAA subcontracts with a CSP, the CSP is still required to sign a BAA making the CSP directly liable for HIPAA violations.

A CE who engages the services of CSP must understand the cloud computing environment or solution it is purchasing, conduct its own risk analysis of storing PHI with the CSP, and establish risk management policies. The analysis must identify and assess potential threats and vulnerabilities related to using the CSP. See 45 CFR § 164.308(a)(1)(ii)(A).

In addition to BAAs, HHS recommends SLAs include HIPAA-related provisions such as:

  • System availability and reliability;
  • Back-up data recovery (e.g., as necessary to be able to respond to a ransomware attack or other emergency situation);
  • Manner in which data will be returned to the customer after service use termination;
  • Security responsibility; and
  • Use, retention, and disclosure limitations.

Nothing in the terms of the SLA and/or BAA should prevent the CE from accessing its ePHI regardless of the situation. See 45 CFR § 164.308(b)(3).

What if the PHI is encrypted and the CSP doesn’t have the decryption key?

HHS calls the above “no-view services.” The CE must still obtain a BAA from CSP, and the CSP is itself directly liable under HIPAA. It does not matter that the CSP cannot itself actually view the ePHI. However, in the case of no-view services, the Security Rule can be satisfied through only one party’s actions. But even when the parties have agreed the customer is responsible for authentication, the CSP may still be responsible for implementing internal controls to assure only authorized access to the administrative tools they use to manage the ePHI. As part of its risk analysis, the CSP should consider unpatched or obsolete administrative tools. And the “CSP and customer should confirm in writing. . . how each party will address the Security Rule requirements.” Importantly, the CSP cannot impermissibly block or terminate access to ePHI to the customer.

CSPs are rarely mere conduits, analogous to the United States Postal Service (“USPS”)

CSPs hoping to use the conduit exception claiming that they provide mere transmission-only services much like the USPS will be disappointed. The conduit exception applies only if the storage is transient. If the CSP is receiving, maintaining, or storing the ePHI, it is a BAA, not a conduit.

Click here to read the full guidance.  Call Marlena at 425-553-2070 if you have questions.

© 2016