OCR Offers Guidance on HIPAA and Cloud Computing | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

OCR Offers Guidance on HIPAA and Cloud Computing

October 7, 2016
by David Raths
| Reprints
Cloud service provider that stores only encrypted data is still a business associate

The Health & Human Services Office of Civil Rights (OCR) has provided guidance around several questions regarding cloud service providers and HIPAA. For instance, if a cloud provider stores only encrypted protected health information and does not have a decryption key, OCR said it is still considered a HIPAA business associate.

OCR refers to cloud service providers (CSPs) storing encrypted PHI as “no-view” services. “As a business associate, a cloud service provider providing no-view services is not exempt from any otherwise applicable requirements of the HIPAA Rules,” OCR said.  “However, the requirements of the Rules are flexible and scalable to take into account the no-view nature of the services provided by the CSP.”

Regarding the HIPAA Security Rule, even when the parties have agreed that the customer is responsible for authenticating access to ePHI, the CSP may still be required to implement appropriate internal controls to assure only authorized access to the administrative tools that manage the resources (e.g., storage, memory, network interfaces, CPUs) critical to the operation of its information systems.  For example, a CSP that is a business associate needs to consider and address, as part of its risk analysis and risk management process, the risks of a malicious actor having unauthorized access to its system’s administrative tools, which could impact system operations and impact the confidentiality, integrity and availability of the customer’s ePHI. 

An exception that would see a provider as only a “conduit” of information is limited to transmission-only services for PHI (whether in electronic or paper form), including any temporary storage of PHI incident to such transmission.  Any access to PHI by a conduit is only transient in nature.  In contrast, a CSP that maintains ePHI for the purpose of storing it will qualify as a business associate, and not a conduit, even if the CSP does not actually view the information, because the entity has more persistent access to the ePHI.

OCR clarified that a CSP is not a business associate if it receives and maintains only information that has been de-identified following the processes required by the Privacy Rule. OCR also noted that if a covered entity (or business associate) uses a CSP to maintain electronic PHI without entering into a business associate agreement, the covered entity (or business associate) is in violation of the HIPAA rules. 

In a statement released by ACT, the App Association, its executive director, Morgan Reed, said that companies that fall under the newly created term, “no-view service provider” will face compliance questions around access which must be resolved. “Of course, further outstanding HIPAA questions remain as well. For example, there is still a lack of clarity around texting and messaging, which are central to patients’ and physicians’ lives. We look forward to working with OCR on these important issues.”

 

 

Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More

Topics

News

Analysis: Healthcare Ransomware Attacks Decline in First Half of 2018

In the first half of 2018, ransomware events in major healthcare data breaches diminished substantially compared to the same time period last year, as cyber attackers move on to more profitable activities, such as cryptojacking, according to a new report form cybersecurity firm Cryptonite.

Dignity Health, UCSF Health Partner to Improve the Digital Patient Experience

Dignity Health and UCSF Health are collaborating to develop a digital engagement platform that officials believe will provide information and access to patients when and where they need it as they navigate primary and preventive care, as well as more acute or specialty care.

Report: Digital Health VC Funding Surges to Record $4.9 Billion in 2018

Global venture capital funding for digital health companies in the first half of 2018 was 22 percent higher year-over-year (YoY) with a record $4.9 billion raised in 383 deals compared to the $4 billion in 359 deals in the same time period last year, according to Mercom Capital Group’s latest report.

ONC Roundup: Senior Leadership Changes Spark Questions

The Office of the National Coordinator for Health IT (ONC) has continued to experience changes within its upper leadership, leading some folks to again ponder what the health IT agency’s role will be moving forward.

Media Report: Walmart Hires Former Humana Executive to Run Health Unit

Reigniting speculation that Walmart and insurer Humana are exploring ways to forge a closer partnership, Walmart Inc. has hired a Humana veteran to run its health care business, according to a report from Bloomberg.

Value-Based Care Shift Has Halted, Study Finds

A new study of 451 physicians and health plan executives suggests that progress toward value-based care has stalled. In fact, it may have even taken a step backward over the past year, the research revealed.