In guidance issued on October 6, OCR has clarified that cloud service providers (CSPs) who create, receive, maintain or transmit electronic PHI on behalf of their customers are “business associates” under HIPAA and therefore must comply with applicable HIPAA requirements—an assertion which should be unremarkable to CSPs who have been providing these kinds of services for years.  The guidance is released on the heels of OCR’s investigation of Oregon Health & Science University, which uncovered that the university failed to enter into a business associate agreement with a CSP who stored ePHI of over 3,000 individuals.

As the guidance explains, merely entering into a business associate agreement with a CSP is not sufficient to comply with HIPAA.  As with any business associate, a CSP that functions as a business associate must comply with applicable standards and implementation specifications of the Security Rule which require that ePHI be adequately safeguarded.  For example, a CSP may be required to implement adequate internal controls to assure that only authorized personnel access its information systems.  A service level agreement between the covered entity and CSP should be consistent with both HIPAA requirements and business associate agreement terms.

The guidance emphasizes that CSPs do not avoid being subject to HIPAA simply because they have access to only encrypted ePHI and do not have the decryption key (meaning they have no way to actually view the ePHI)—CSPs that provide these so-called “no-view services” are still generally subject to HIPAA (assuming the CSP otherwise meets the definition of a “business associate”).  However, in some instances, the fact that the ePHI is encrypted may relieve the CSP from certain obligations, such as the breach reporting obligation (which applies only to “unsecured” PHI and not to PHI which has been properly encrypted).

Two additional requirements relevant to CSPs that store ePHI are (i) the assurance of availability of ePHI; and (ii) performance of risk analyses.  First, a CSP must be able to make ePHI available to its covered entity customers within specified time frames to enable those customers to timely respond to individuals’ requests for access to, or amendment of, such ePHI.  Thus, it may be advisable to have specificity in the BAA as to turnaround time for the CSP to make ePHI available.  Second, whenever a covered entity stores ePHI in a new environment (whether it be in the cloud or some other environment), a risk analysis must account for any new risks or vulnerabilities that could affect the ePHI in that environment.  Before hiring a CSP, a covered entity should perform its own careful analysis as to whether the potential risks to the security of its ePHI held by the CSP would be acceptable and capable of being appropriately managed.  Another noteworthy point in the guidance, addressed in a Q & A, discussed storage of ePHI on servers located outside the U.S.  While HIPAA allows for storage of ePHI outside of the U.S., the guidance cautioned that HIPAA rules do not protect such ePHI, and that risks to ePHI may vary considerably depending on geographic location and the enforceability of applicable privacy and security protections.  A risk analysis should take into consideration the risk factors associated with the particular geographic location.