Recent guidance from the U.S. Department of Health and Human Services (HHS) reinforces that the HIPAA conduit exception does not apply to Cloud Service Providers.
According to HHS, "[t]he HIPAA Privacy, Security, and Breach Notification Rules (the HIPAA Rules) establish important protections for individually identifiable health information (called protected health information or PHI when created, received, maintained, or transmitted by a HIPAA covered entity or business associate), including limitations on uses and disclosures of such information, safeguards against inappropriate uses and disclosures, and individuals' rights with respect to their health information." These standards apply to covered entities, business associates, and subcontractors.
It never ceases to amaze me how many entities perceive that they fit into the conduit exception, which was addressed in the Final Omnibus Rule, published in 2013. This narrow exception enables select entities to transmit protected PHI without meeting the requirements of the HIPAA Rules. The Omnibus Rule expressly states that this is a narrow exception and examples are FedEx, the U.S. Postal Service and internet service providers (ISPs). Cloud Service Providers (CSPs) are among the types of business associates or subcontractors that have generated a lot of controversy.
"The CSP subcontractor itself is a business associate." Even if a CSP stores only encrypted ePHI and does not have a decryption key, it is still a business associate. In light of this, HHS released guidance that establishes that it is permissible to use a CSP, but a CSP has to meet the same HIPAA Rule compliance standards as any other business associate. Moreover, CSPs, regardless of whether or not they can read the data being stored, do not meet the conduit exception. "Lacking an encryption key does not exempt a CSP from business associate status and obligations under the HIPAA Rules. As a result, the covered entity (or business associate) and the CSP must enter into a HIPAA-compliant business associate agreement (BAA), and the CSP is both contractually liable for meeting the terms of the BAA and directly liable for compliance with the applicable requirements of the HIPAA Rules." Given the $400,000 fine that Care New England Health System (CNE) was just assessed by HHS for not having a business associate agreement (BAA) in place, this is an area that should not be overlooked.
The takeaways for physicians and other providers are:
1. Make sure that a compliant BAA is in place;
2. Do due diligence when selecting the type of cloud and the provider; and
3. Make sure that the appropriate security rule controls are in place.