QUESTION: As a TPA for group health plans, we are considering contracting with a cloud service provider to back up our clients’ electronic protected health information (ePHI). Do we need a HIPAA business associate contract with the cloud service provider?
ANSWER: A cloud service provider (CSP) is considered a HIPAA business associate when a covered entity, such as a group health plan, engages the CSP to create, receive, maintain, or transmit ePHI (such as to process or store ePHI) on its behalf. Similarly, when a business associate, such as a TPA, subcontracts with a CSP to create, receive, maintain, or transmit ePHI on the TPA’s behalf, the CSP subcontractor is a business associate. Therefore, you should have a business associate subcontract with the CSP.
It’s important to recognize that a business associate relationship is established even if the CSP processes or stores only encrypted ePHI and lacks a decryption key for the data. Lacking a decryption key does not exempt a CSP from business associate status and obligations under HIPAA, because encryption protects the confidentiality of PHI but does not necessarily address the PHI’s integrity or availability. As a result, a business associate and CSP subcontractor must enter into a HIPAA-compliant business associate contract even if the CSP stores only encrypted ePHI. The CSP is both contractually liable for complying with the business associate contract’s terms and directly liable for compliance with the applicable requirements of HIPAA.
For example, as a business associate, the CSP retains responsibility under the HIPAA security rule for implementing reasonable and appropriate controls to limit access to information systems that maintain customer ePHI. Thus, the CSP must consider and address, as part of its risk analysis and risk management process, the risks of a malicious actor having unauthorized access to its system’s administrative tools, which could impact system operations and impair the confidentiality, integrity, and availability of ePHI.
In addition, the CSP must use and disclose ePHI only as permitted by its business associate contract and the HIPAA privacy rule, or as otherwise required by law. CSPs typically provide varying services depending on users’ requirements, ranging from mere data storage to complete computing infrastructure. When drafting a business associate subcontract with a CSP, it is important to have a clear understanding of the services that the CSP will provide, since the scope of services will determine the appropriate security safeguards as well as permissible uses and disclosures under the privacy rule.
For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XXIV.B (“What Is a Business Associate?”) and XXX.B (“Core Security Requirements: Administrative Safeguards”).
Contributing Editors: EBIA Staff.