Cybersecurity 2017 – The Year In Preview: HIPAA Compliance

Cloud services providers are subject to HIPAA as business associates even if they are unable to view PHI.

Editor’s Note: This article highlights considerations for HIPAA compliance in 2017 including salient points for organizations providing cloud services such as SaaS-based eDisovery providers.

Extract from article by Jeremy Meisinger

OCR’s recently released guidance on cloud computing is an example of an attempt to tackle new technology and indicates that OCR will be keeping a close eye on cloud services providers in the future.  OCR makes clear that cloud services providers are business associates for HIPAA once engaged to receive, maintain, and transmit electronically stored Protected Health Information (PHI).  Accordingly, the relationship between a covered entity and a cloud services provider should be governed by a written, HIPAA-compliant business associate agreement.

Cloud services providers are subject to HIPAA as business associates even if they are unable to view PHI, such as in an arrangement whereby a business associate receives and stores encrypted data but does not have a decryption key.  Encryption alone does not satisfy the security requirements of HIPAA but, the guidance makes clear, plays a role in apportioning responsibility for security.  The guidance gives the example of a covered entity providing encrypted data but no decryption key, and states that where such a covered entity implemented its own appropriate user authentication controls, the cloud services provider would not be required to verify user authentication also.  The guidance states that where a business associate agreement puts the lion’s share of security responsibility on the covered entity, a cloud services provider would not be responsible for “compliance failures that are attributable solely to the actions or inactions” of the covered entity.

Read the complete article at Cybersecurity 2017 – The Year In Preview: HIPAA Compliance

ComplexDiscovery combines original industry research with curated expert articles to create an informational resource that helps legal, business, and information technology professionals better understand the business and practice of data discovery and legal discovery.

All contributions are invested to support the development and distribution of ComplexDiscovery content. Contributors can make as many article contributions as they like, but will not be asked to register and pay until their contribution reaches $5.