In a previous post, I discussed the implications of the new HIPAA-HITECH Act regulation for cloud service providers. I noted that cloud service providers would generally be deemed to be business associates (BAs) under HIPAA because any entity that “maintains” protected health information (PHI) on behalf of a covered entity or another BA is deemed a BA. Under HIPAA, BAs are directly liable to HHS enforcement for a number of responsibilities under the HIPAA Privacy and Security Rules. Moreover, a BA must be under a business associate agreement (BAA) with the entity supplying the PHI.
Cloud Service Providers as BAs
The regulation commentary states that “data transmission organizations that the Act requires to be treated as business associates are those that require access to protected health information on a routine basis. Conversely, data transmission organizations that do not require access to protected health information on a routine basis would not be treated as business associates.” Additionally, the “exchange of protected health information through a network, including providing record locator services and performing various oversight and governance functions for electronic health information exchange, have more than ‘random’ access to protected health information and thus, would fall within the definition of ‘business associate.’” Mere “conduits” of PHI, such as postal carriers or courier services are not BAs because a “conduit transports information but does not access it other than on a random or infrequent basis as necessary for the performance of the transportation service or as required by law.”
According to the FAQ on the HHS website, “[t]he mere selling or providing of software to a covered entity does not give rise to a business associate relationship if the vendor does not have access to the protected health information of the covered entity. If the vendor does need access to the protected health information of the covered entity in order to provide its service, the vendor would be a business associate of the covered entity.”
Cloud providers that have access to the PHI they store would thus be BAs because they are more than mere conduits. Any cloud provider that stores PHI has more than “random or infrequent” access. In a news media quote, Joy Pritts, ONC’s chief privacy officer, appears to say yes:
The pending HIPAA modifications clarify that all business associates with access to patient data must comply with the privacy and security rules, Pritts pointed out. "That brings cloud services under direct regulations of HIPAA," she said.
The Effect of Encryption
One ambiguity I noted in my previous post is whether a cloud provider maintaining encrypted data would be deemed to be BAs. On this issue, HHS has sent mixed messages. HHS officials have said informally in speeches and in answers to questions that only if a cloud service provider holds the encryption key would it be a BA when all the PHI is encrypted. If a cloud service provider doesn’t hold the key, then it is merely a conduit.
Other healthcare lawyers have heard different advice. According to one healthcare lawyer “During a speech at the Health Care Compliance Association’s 16th Annual Compliance Institute, OCR’s David Holtzman, Information Privacy Division, said ‘[i]f you use a cloud service, it should be your business associate. If they refuse to sign a business associate agreement, don’t use the cloud service.’” Another HIPAA lawyer has said: “I do understand that an OCR official apparently indicated that an entity which ‘maintains’ – hosts, stores – even encrypted PHI for or on behalf of a Covered Entity (including soon indirectly through a Business Associate), even if the entity doesn’t have access to the keys, is a Business Associate because encrypted or not, it is ‘maintaining’ the PHI.” Thus, there appear to be somewhat conflicting signals about the issue.
Beyond any HHS interpretation, what is the best way to interpret HIPAA on this issue? Elizabeth Johnson, a partner at Poyner Spruill who specializes in information privacy law and HIPAA-HITECH, notes that on the issue of whether cloud providers that maintain encrypted data are business associates, “the HIPAA regulation does not explicitly answer the question because it is largely technology-neutral. Looking broadly at the HIPAA regulation, a sensible interpretation is that it should apply to cloud providers even if the PHI is encrypted because there are important responsibilities that BAs have that encryption cannot eliminate. For example, BAs have data integrity requirements and must ensure that PHI is readily available for privacy concerns such as patient access and for Security Rule compliance. If cloud providers could escape the application of the rules and BAA obligations simply because data were encrypted, any failure by them to adequately maintain the encrypted PHI would defeat both privacy and security priorities identified in the rules and would create liability for their clients.”
The goal of extending HIPAA directly to BAs and to subcontractors of BAs is to ensure that data stays within HIPAA’s protective bubble. Imagine if a covered entity were to encrypt its PHI and store it at a very shoddy cloud service provider. The provider’s computers are all located in a building that burns down in a fire, and a backup copy of the PHI isn’t kept in a different location. Patients’ medical data would be lost. This would impact patient rights to access their data from the covered entity, since now the covered entity would no longer have the data. But if the cloud service provider weren’t a BA, then the requirements of the HIPAA Security Rule wouldn’t directly apply to the BA. There would be no HHS enforcement against the cloud service provider. And no audits.
Of course, one might point to the Breach Notification Rule for guidance, where if the PHI is encrypted, then there is no need to notify in the event of a data security breach. This makes sense in the context of a data breach because the potential harm is in unauthorized access to the data, which encryption prevents. But the provisions of HIPAA that BAs must follow go beyond preventing the harms of breaches and unauthorized access. They also protect against harms to the integrity and accessibility of data.
Moreover, it strikes me as a bad incentive if the HIPAA regulation were to treat cloud service providers that held the encryption keys differently from those where only the covered entity kept the keys. Having the cloud service provider hold the keys might be a plus in the event the covered entity loses the keys, which would mean a loss of valuable patient PHI. HIPAA shouldn’t give a pass to cloud service providers that don’t hold the keys, as this is a practice that we might want to encourage.
What Should be Done?
In the absence of clear guidance about the issue, I recommend that whenever covered entities or BAs use a cloud service provider, they should treat the cloud service provider as they would any other BA. This means requiring in the contract the same things that would be required of a BA. It also means selecting a cloud service provider that is willing to agree to taking the necessary steps to be compliant with HIPAA.
Daniel J. Solove is the John Marshall Harlan Research Professor of Law at George Washington University Law School, the founder of TeachPrivacy, a privacy/data security training company, and a Senior Policy Advisor at Hogan Lovells. The opinions expressed are those of the author only and not of any organization with which the author is affiliated.