Editor’s Note: This article highlights considerations for HIPAA compliance in 2017 including salient points for organizations providing cloud services such as SaaS-based eDisovery providers.
Extract from article by Jeremy Meisinger
OCR’s recently released guidance on cloud computing is an example of an attempt to tackle new technology and indicates that OCR will be keeping a close eye on cloud services providers in the future. OCR makes clear that cloud services providers are business associates for HIPAA once engaged to receive, maintain, and transmit electronically stored Protected Health Information (PHI). Accordingly, the relationship between a covered entity and a cloud services provider should be governed by a written, HIPAA-compliant business associate agreement.
Cloud services providers are subject to HIPAA as business associates even if they are unable to view PHI, such as in an arrangement whereby a business associate receives and stores encrypted data but does not have a decryption key. Encryption alone does not satisfy the security requirements of HIPAA but, the guidance makes clear, plays a role in apportioning responsibility for security. The guidance gives the example of a covered entity providing encrypted data but no decryption key, and states that where such a covered entity implemented its own appropriate user authentication controls, the cloud services provider would not be required to verify user authentication also. The guidance states that where a business associate agreement puts the lion’s share of security responsibility on the covered entity, a cloud services provider would not be responsible for “compliance failures that are attributable solely to the actions or inactions” of the covered entity.