Healthcare providers increasingly are turning to cloud-based service providers (CSPs) to manage data, but the Office for Civil Rights (OCR) reminds them that this arrangement needs a business associate (BA) agreement, even if the CSP has no access to protected health information (PHI). In addition, OCR has indicated that covered entities are not obligated to audit BAs for HIPAA compliance.

The role of CSPs in relation to HIPAA was somewhat unclear because the rule was not written to include them specifically, and one could argue that they have no access, says Nathan A. Kottkamp, JD, a partner with the law firm of McGuireWoods in Richmond, VA. The issue arises because the 2013 Omnibus Final Rule contained a subtle alteration to the definition of a business associate so that it includes an entity that “maintains” PHI, he explains.

But no one was clear on what “maintains” means in this sense, Kottkamp says. The dictionary definition suggests much more hands-on activity and affirmative action than what many would associate with a CSP, he says. CSPs make possible online access to shared computing resources with varying levels of functionality depending on the users’ requirements, ranging from simple data storage to electronic medical records. They also may provide on-demand internet access to networks and servers.

“What a cloud provider does is not unlike what a bank does with respect to a safety deposit box,” Kottkamp says. “They provide the environment, and though there may be a master key, banks would go out of business if they were found to be using the master key to get into people’s boxes. Some of the cloud providers could get into the data if they had to, but others just can’t because there is no key to access it.”

Cloud Providers Resisted BA

Without clear guidance, many covered entities wondered if CSPs were BAs, particularly since some CSPs would not even know if they had PHI in their customers’ stored data. Access also became an issue, with covered entities and CSPs both wondering if having no access to stored data would change their status in the eyes of the OCR. The CSPs argued that they were not BAs partly because the other interpretation would obligate them to compliance and bureaucracy that they would rather avoid.

“We had companies saying they were not a business associate, and so they’re not going to sign your papers,” Kottkamp says. “They did not want to enter into an agreement with every client that might have PHI in their stored data.”

Access to Data Not Necessary

Some CSPs were begrudgingly beginning to accept that they are BAs, but recent OCR guidance erases all doubt. (Editor’s Note: The guidance is available online at:

In a particularly important note, OCR explained that even when a CSP stores only encrypted electronic PHI (ePHI) and does not have a decryption key — what OCR calls a “no-view service” — it is still a HIPAA BA.

“Lacking an encryption key for the encrypted data it receives and maintains does not exempt a CSP from business associate status and associated obligations under the HIPAA rules,” the OCR guidance says. “An entity that maintains ePHI on behalf of a covered entity (or another business associate) is a business associate, even if the entity cannot actually view the ePHI.”

The encryption does not negate the BA status because it does not maintain the integrity and availability of the ePHI, such as ensuring that the information is not corrupted by malware, or ensuring through contingency planning that the data remain available to authorized persons even during emergency or disaster situations, OCR explains. Encryption also does not address other safeguards that also are important to maintaining confidentiality, such as administrative safeguards to analyze risks to the ePHI or physical safeguards for systems and servers that may house the ePHI, the guidance says.

CSPs also argued that they fell under the “conduit” exception in HIPAA, which says that PHI merely passing through an entity does not make that entity a BA. The conduit exception does not apply to CSPs because they should have at least limited access to the data, OCR explained. Unlike PHI merely passing through with no attention from the conduit, the CSP must create a mechanism to at least identify the owners of the data to let them know a breach has occurred or data have been destroyed, Kottkamp says.

“The guidance confirmed what they meant by maintaining data,” he says. “It’s not just about the content of the data. ‘Maintain’ means protecting and providing access to that data, and that’s what these [CSPs] do. They have to do that, even if they never have access to the data itself.”

Review BA Agreements

OCR recently finalized a resolution agreement and corrective action plan with a healthcare provider that stored ePHI of more than 3,000 people on a cloud-based server without entering a BA agreement with the CSP. (Editor's Note: For more on that case, please see the story below.)

However, OCR guidance says that if a CSP receives and maintains only information that has been de-identified in accordance with the HIPAA Privacy Rule, is it is not a business associate. De-identified data are not considered protected health information.

Hospitals and health systems should review their use of CSPs and ensure each has a BA tailored to the way it interacts with PHI, Kottkamp recommends.

“Cloud providers have no argument now that they are not business associates, so they should be incorporating this into their operations quickly,” he says. “If you had cloud providers who balked at signing your agreement and participating with your HIPAA compliance program, you can go back to them and say there is no reason to resist now, and if they want do business with you, they have to agree they’re business associates.”

Not Required to Audit

Even without a BA agreement, the CSP becomes a BA by definition once it participates in BA activities. That could leave some CSPs in a difficult position if they are trying to stay out of that territory, Kottkamp says. They may provide all sorts of warnings and declarations that they do not want to store PHI, but once a customer disregards their wishes and posts the private data, OCR could argue that they became a BA, he explains.

“It is unclear how much a cloud host has to do to know whether a client is storing PHI on their system,” Kottkamp says. “And if they find PHI, do they have to get rid of the customer, or is it enough to keep telling them you’re not a business associate so you’re not responsible for protecting this PHI? That question hasn’t been answered yet.”

The good news in the guidance is that covered entities are not required to monitor or audit their BAs for compliance with HIPAA. OCR most likely made that clear because BAs can be held directly liable for violations now, Kottkamp says.

“If OCR wants to know how a business associate is doing in terms of compliance, it can look into that directly,” he says. “It’s not going to force the covered entity to engage in its own separate enforcement and oversight activities. That’s good news for covered entities, because they have enough on their plate as is, and checking up on every one of your business associates could be more than they’re capable of doing.”


Cloud Service Provider Needed BA Agreement

A HIPAA breach at Oregon Health & Science University (OHSU) illustrates how CSPs fit into compliance efforts. In addition to other violations, the OCR dinged OHSU for not having a BA agreement with a CSP.

OCR concluded that OHSU had “widespread and diverse problems” with HIPAA compliance. OHSU had submitted multiple breach reports affecting thousands of patients, including two reports involving unencrypted laptops and another large breach involving a stolen unencrypted thumb drive. The violations were settled with a comprehensive three-year corrective action plan and a monetary payment of $2.7 million.

The violations included the storage of the ePHI of more than 3,000 individuals on a cloud-based server without a BA agreement. OCR found there was “significant risk of harm” to 1,361 of these individuals due to the sensitive nature of their diagnoses.

OHSU performed risk analyses in 2003, 2005, 2006, 2008, 2010, and 2013, but OCR’s investigation found that these analyses did not cover all OHSU ePHI.

“OHSU did not act in a timely manner to implement measures to address these documented risks and vulnerabilities to a reasonable and appropriate level,” OCR reported. “OHSU also lacked policies and procedures to prevent, detect, contain, and correct security violations and failed to implement a mechanism to encrypt and decrypt ePHI or an equivalent alternative measure for ePHI maintained on its workstations, despite having identified this lack of encryption as a risk.”

Furthermore, OCR said OHSU should have addressed the lack of a BA agreement before allowing a vendor to store ePHI. OCR Director Jocelyn Samuels said, “This settlement underscores the importance of leadership engagement and why it is so critical for the C-suite to take HIPAA compliance seriously.”