OCR’s cloud computing guidance puts end to conduit exception myth

Posted: Oct 28, 2016
Share This:

New guidance released by Office for Civil Rights (OCR) confirms that cloud service providers (CSPs) that store patient health information must now comply with HIPAA. If you’re thinking, “why only now?”, you’re not alone.

Cloud storage is one of HIPAA’s many gray areas, due the fact CSPs have, until now, been able to circumnavigate their obligations to HIPAA by way of the conduit exception rule. In short, an entity that simply transports or transmits PHI (protected health information), but does not have regular access to it, may claim the ‘conduit exception’. Some examples of this would be the United States Postal Service, internet service providers and couriers.

By claiming to be a mere conduit of PHI, entities do not claim to be a Business Associate (BA) to a covered entity, and therefore dodge the need to sign a Business Associate Agreement (BAA) and any of the responsibilities that come with it.

However, under the new HIPAA Cloud Guidance, any CSP that stores ePHI must adhere to the following:

  1. Sign a HIPAA Business Associate Agreement;
  2. Conduct a HIPAA Security Risk Analysis;
  3. Comply with the HIPAA Privacy Rule;
  4. Implement HIPAA Security Rule safeguards the ePHI to ensure its confidentiality, integrity, and availability;
  5. Comply with the HIPAA Breach Reporting Rule by reporting any breaches of ePHI to its customers, and be directly liable for breaches it has caused.

List taken from http://www.emrandhipaa.com

The new guidance presents a number of key questions and answers to assist HIPAA regulated CSPs and their customers in understanding their responsibilities under HIPAA. These questions are as follows:

May a HIPAA covered entity or business associate use a cloud service to store or process ePHI?

Short answer; Yes, providing both parties sign a BAA.

If a CSP stores only encrypted ePHI and does not have a decryption key, is it a HIPAA business associate?

Short answer; Yes, because the CSP receives and maintains ePHI.

Can a CSP be considered to be a “conduit” like the postal service, and, therefore, not a business associate that must comply with the HIPAA Rules?

Short answer; Generally, no. You can read more about the HIPAA conduit rule here and here.

What if a HIPAA covered entity (or business associate) uses a CSP to maintain ePHI without first executing a business associate agreement with that CSP?

Short answer; This would be a violation of the HIPAA Rules.

If a CSP experiences a security incident involving a HIPAA covered entity’s or business associate’s ePHI, must it report the incident to the covered entity or business associate?

Short answer; Yes. Further reading on breach response can be found here.

Do the HIPAA Rules allow health care providers to use mobile devices to access ePHI in a cloud?

Short answer; Yes, providing necessary safeguards are taken to protect the device, and BAAs are in place with any third party service providers.

Do the HIPAA Rules require a CSP to maintain ePHI for some period of time beyond when it has finished providing services to a covered entity or business associate?

Short answer; No.

Do the HIPAA Rules allow a covered entity or business associate to use a CSP that stores ePHI on servers outside of the United States?

Short answer; Yes, providing both parties sign a BAA. However, OCR notes that outsourcing cloud storage, or any other services for that matter, for ePHI overseas may increase risks and vulnerabilities. For example, if ePHI is maintained in a country which is more susceptible to malware attacks, then this should be taken into account when assessing risks.

Do the HIPAA Rules require CSPs that are business associates to provide documentation, or allow auditing, of their security practices by their customers who are covered entities or business associates?

Short answer; No.

If a CSP receives and maintains only information that has been de-identified in accordance with the HIPAA Privacy Rule, is it a business associate?

Short answer; No. The HIPAA Privacy Rule does not restrict the disclosure of de-identified information. A CSP receiving de-identified information would not be considered a BA. Further information about the de-identification of PHI can be fo our HIPAA Gray Areas report.

OCR’s full guidelines on HIPAA and cloud computing can be found at http://www.hhs.gov/hipaa/for-professionals/special-topics/cloud-computing/index.html