“The use of cloud service providers has exploded in the past several years. According to estimates from Gartner, the market for cloud services is expected to reach $204 billion in 2016. But the use of cloud service providers raises significant privacy and security concerns, especially for health care providers who are subject to the Health Insurance Portability and Accountability Act (HIPAA).

Last month, the Department of Health and Human Services Office for Civil Rights (OCR) issued guidance on the storage of protected health information (PHI) in the cloud. Not surprisingly, the OCR reiterated its expectation that covered entities enter into business associate agreements with service providers and provide prompt notice of unauthorized access. However, one of the more surprising takeaways from that guidance was the OCR’s position that a cloud service provider (CSP) could be subject to HIPAA merely by storing encrypted PHI. Specifically, the OCR has said, “When a covered entity engages the services of a CSP to create, receive, maintain, or transmit ePHI (such as to process and/or store ePHI), on its behalf, the CSP is a business associate under HIPAA[.] This is true even if the CSP processes or stores only encrypted ePHI and lacks an encryption key for the data. Lacking an encryption key does not exempt a CSP from business associate status and obligations under the HIPAA Rules[.]”

This is huge! Even if a CSP is unable to read or access PHI, the CSP would STILL be considered a business associate.”


Author: M. Scott Koller