HHS Cloud Computing

HHS CLOUD COMPUTING Compliance

HIPAA Privacy Rule/Security Rule/Electronic Protected Health Information

HIPAA Privacy Rule protects the privacy of individually identifiable health information, called protected health information (PHI).  The Security Rule protects a subset of information covered by the Privacy Rule, which is all individually identifiable health information a covered entity creates, receives, maintains or transmits in electronic form. The Security Rule calls this information “electronic protected health information” (e-PHI). 

Entities that must abide by these rules include;

• Covered entities         
• Business associates

A ‘covered entity’ is a health plan, a health care clearinghouse, or a health care provider who conducts billing and payment related transactions electronically

A ‘business associate’ is an entity or person, other than a member of the workforce of a covered entity, that performs functions or activities on behalf of, or provides certain services to, a covered entity that involve creating, receiving, maintaining, or transmitting PHI.     A business associate also is any subcontractor that creates, receives, maintains, or transmits PHI on behalf of another business associate. A cloud computing firm, or any business providing cloud computing services, for these purposes, serves as a ‘business associate’.

When a covered entity engages the services of a Cloud Service Provider (CSP) to create, receive, maintain, or transmit ePHI (such as to process or store ePHI), on its behalf, the CSP is a business associate under HIPAA.  Further, when a business associate subcontracts with a CSP to create, receive, maintain, or transmit ePHI on its behalf, the CSP subcontractor itself is a business associate. 

Relevant Q&A

Q1. May a HIPAA covered entity or business associate use a cloud service to store or process ePHI?

Yes, provided the covered entity or business associate enters into a HIPAA-compliant business associate contract or agreement (BAA) with the CSP (in this case Synthys Medical) that will be creating, receiving, maintaining, or transmitting electronic protected health information (ePHI) on its behalf.

 

Q2. May a business associate of a HIPAA covered entity block or terminate access by the covered entity to the protected health information (PHI) maintained by the business associate of or on behalf of the covered entity?

Generally, No. However, arrangements may exist to dispose of (e)PHI, because of specific contractual obligations, completion of retention periods(see Q’s 7 & 8), or because of data aggregation. This data aggregation will generally render the source data, in the original format, as unreturnable to the covered entity. Any other outcome, such that the service level agreement (SLA) or business association agreement (BAA) with the Cloud Service Provider (CSP), or subcontractor of CSP, prevents the covered entity from accessing its ePHI, is a violation of Federal Law.
the terms of the SLA and BAA with the CSP do not prevent the entity from accessing its ePHI in violation.

 

Q3. If a Cloud Service Provider (CSP) stores only encrypted ePHI and does not have access to a decryption key, is it a HIPAA business associate?

Yes.  In this capacity, the CSP that receives, maintains, processes, or stores ePHI, for a covered entity or another business associate, even if it cannot decipher the stored data, is a HIPAA business associate.

 

Q4.  May a HIPAA covered entity (or business associate) use a Cloud Service Provider (CSP) to maintain ePHI without first executing a business associate agreement (BAA) with that CSP? 

No.   Doing so constitutes a violation of the HIPAA Rules and associated Federal Law. The HHS Office of Civil Rights (OCR) will investigate any complaint.  Under the HITECH Act’s updates to HIPAA, the OCR will aggressively implement a resolution agreement and corrective action plan, which will always include serious financial penalties. 

 

Q5.  Do the HIPAA Rules allow health care providers to use mobile devices to access ePHI in a cloud?

Yes.  Covered entities, healthcare providers, and business associates may do so, as long as required physical, technical, and administrative safeguards are in place.  These, in total, must protect the confidentiality, integrity, and availability of ePHI.   The HIPAA Rules do not endorse or require any specific type of technology, nor will they ever endorse specific vendors. 

 

Q6.  Do the HIPAA Rules allow health care providers to use email to transfer ePHI in the cloud?

Yes, but.  The Security Rule specifies that the data must be ‘adequately protected.’  This reasonably suggests that encryption be utilized. 

 

Q7. What is the minimum encryption level is specified in the HIPAA Security Rule for the transfer of data by email?

None through the Security Rule.  However, the National Institute of Standards & Technology (NIST) recommends that a minimum Advanced Encryption Standard (AES) standard of 128 be applied, with AES 256 strongly encouraged. 

 

Q8.  Is a Cloud Service Provider(CSP) required to maintain ePHI for any period of time beyond when it has finished providing services to a covered entity or business associate?

No.  The implemented business associate agreement (BAA) must specify that a CSP or related business associate must return or destroy all ePHI immediately before the termination of the BAA.  The only ePHI which does not need to be returned, is component data that has been aggregated.  This component data must, however be destroyed before the termination of the BAA. 

 

Q9. Assume a Cloud Service Provider (CSP), or business associates is actively maintaining ePHI.   What are the retention guidelines for retention of actively maintained ePHI?

ePHI (and all HIPAA data) must be maintained for six years from the date of its creation or the date when it last was in effect, whichever is later.   HIPAA requirements supercede State laws if the state law specifies shorter periods.  State law supercedes HIPAA if the state law requires a retention period longer than six years.  This is actually specified in the HIPAA administrative rules, not the HIPAA Privacy Rule.

 

Q10. Assume a Cloud Service Provider(CSP) maintains only data that has been de-identified in accordance with the HIPAA Privacy Rule.  Must that CSP execute a business associate agreement (BAA) with the source covered entity?

No.  The Privacy Rule does not restrict the use or disclosure of de-identified information, nor does the Security Rule require that any safeguards be applied, given that de-identified information is not considered (e )PHI.

 

Q11. Are covered entities or business associates allowed to use a Cloud Service Provider(CSP) that stores ePHI on servers outside of the United States?

Yes.  As long as the covered entity (or business associate) enters into a business associate agreement (BAA) with the Cloud Service Provider(CSP).   Although the HIPAA Rules make no specific reference to storing data on servers outside of the US, it is assumed that the CSP, in concert with the covered entity and related business associates, have done a ‘risk analysis’ related to this specific situation, and finds the risks to be reasonable. 

 

Q12.  Are covered entities who have entered into signed BAA’s with Cloud Service Providers (CSP’s) allowed to ‘audit’ the security practices of the CSP?

No.   The HIPAA Rules simply require that covered entities and business associates obtain strong assurances, in the form of a BAA, that the CSP will appropriately safeguard the ePHI it creates, receives, maintains, or transmits.  The HIPAA Rules do not expressly demand that a CSP provide documentation of its security practices, but the drafted BAA may request the generation of safeguard documentation, and the results of internal audits created by the CSP for themselves. 

 

Q13.  Are there any HIPAA Security Rule requirements in place specifying how CSP’s must handle their audit logs?

Yes, indirectly.   Audit logs may often include the names of patients, which is ePHI.  Like all ePHI, the audit logs must be ‘adequately protected’ from release and unauthorized access.

 

Q14. A Cloud Service Provider(CSP) is storing my personal genetic information.  Is this protected information(ePHI), requiring that a BAA be in place ?

Yes, of course.  To be protected, it must meet the definition of protected health information: it must be individually identifiable and maintained by a covered health care provider, health plan, or health care clearinghouse.