Recent guidance issued by the Department of Health and Human Services (“HHS”) clarifies the extent to which cloud service providers are subject to the privacy, security, and breach notification rules under  the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).  

The new HHS guidance explains that cloud service providers (“CSPs”) which create, receive, maintain, or transmit electronic protected health information (“ePHI”) on behalf of HIPAA-covered entities and business associates are directly liable under HIPAA as a business associate.  Furthermore, HIPAA-covered entities and business associates are required to enter into HIPAA-compliant business associate agreements with CSPs that create, receive, maintain, or transmit ePHI on their behalf.

HIPAA-covered entities and business associates should be familiar with the HIPAA privacy and security rules, but the application of the rules to CSPs will pose new compliance hurdles.  HIPAA-covered entities are health plans, health care clearinghouses, and health care providers that conduct electronic billing and payment transactions.  For example, a group health plan that submits electronic payments to a third-party administrator, and a hospital that electronically bills patients are both HIPAA-covered entities.  Business associates (entities or individuals such as vendors and third-party administrators that perform functions on behalf of, or provide services to, a covered entity) must also comply with HIPAA to the extent they create, receive, maintain, or transmit ePHI on behalf of covered entities.  The HIPAA privacy, security, and breach notification rules require covered entities and business associates to protect individually identifiable health information, limit uses and disclosures of such information, and safeguard against impermissible uses and disclosures of the information.  As covered entities and business associates have increasingly turned to CSPs to process and store ePHI on their behalf, the direct application of the HIPAA rules to such CSPs has remained uncertain.

The new HHS guidance makes clear that CSPs are directly liable under HIPAA if they create, receive, maintain, or transmit ePHI on behalf of a covered entity or on behalf of a business associate of a covered entity (such as by processing or storing the covered entity’s ePHI on the CSP server) even if the CSP cannot access the data.  This means that a CSP that only receives encrypted or de-identified information from a covered entity or business associate must still comply with the HIPAA rules. 

This guidance may come as a shock to many covered entities and business associates that have long assumed CSPs do not face or create HIPAA-compliance concerns if the CSPs cannot access shared data.  Indeed, it may be an even greater shock to CSPs who have long claimed to be exempt from HIPAA’s reach.  Notwithstanding, now, once a CSP creates, receives, maintains, or transmits ePHI on behalf of a covered entity or business associate, it becomes a HIPAA business associate and is required to directly comply with the privacy, security, and breach notification rules applicable to business associates.  A CSP also becomes a business associate when it is subcontracted by another business associate to create, receive, maintain, or transmit ePHI.  

Immediate action items for covered entities and business associates include:

HHS declined to certify specific CSPs, technologies, or products as HIPAA-compliant, so entities must diligently review their CSP agreements and take any steps necessary to comply with the new guidance.  The HHS Office of Civil Rights actively audits entities for HIPAA compliance and investigates reported incidents.