Storing encrypted ePHI in the Cloud? Still Need HIPAA Compliance

November 9, 2016

Over the years there has been a lot of confusion about the HIPAA responsibility of conduits versus carriers, versus cloud service providers (CSP). It was always thought, sometimes incorrectly, that if you only passed through data and didn’t access it you were a conduit and not required to be a business associate. The next level of thought was that if you only handled encrypted data and didn’t have the key you weren’t a business associate. It now seems that if you are not USPS or UPS you are a business associate and must meet the HIPAA standards.

Here is the latest statement from OCR: “When a covered entity engages the services of a CSP to create, receive, maintain, or transmit ePHI (such as to process and/or store ePHI), on its behalf, the CSP is a business associate under HIPAA[.] This is true even if the CSP processes or stores only encrypted ePHI and lacks an encryption key for the data. Lacking an encryption key does not exempt a CSP from business associate status and obligations under the HIPAA Rules[.]”

This means that the CSP must have an up to date risk assessment based on the NIST methodology (we recommend quarterly), policies in synch with the NIST safeguards, and documented staff training. If they have not already, your covered entity clients, will soon, ask for this proof.

Fortunately, the old days of paying 5 figures to have a consultant travel to your site, feed you information from a fire hose, and then leave are over. The new model is based on the cycle of compliance but is done remotely through a software as a service (SaaS) model. There is an initial risk assessment to establish a baseline, then updating of policies and assigning tasks for mitigation, finally training staff through an on-demand on-line system. At the end of each quarter a new risk assessment is done demonstrating progress since the previous report.

This affordable and doable model can get your organization into initial HIPAA compliance in 72 hours and provide you with the documented proof you need to prove to your clients that you are HIPAA compliant on an on-going basis.

Email me at jack@compliancehelper.com if you would like more information.


Back to News