The Office for Civil Rights (“OCR”) recently sent a clear message to covered entities that place Protected Health Information in the cloud: ensure that your cloud service provider agrees to privacy and security controls, or face potential legal liability. In April 2012, OCR entered into a $100,000 settlement with Phoenix Cardiac Surgery, P.C. (“PCS”) alleging various violations of the HIPAA Privacy and Security Rules including, among others, failure to enter into appropriate business associate agreements with its cloud service providers where the provision of services included storage of and access to its electronic Protected Health Information (“ePHI”). OCR reiterated this message in its January 2013 Final Omnibus Rule (
PCS Investigation and Settlement
The PCS settlement follows an extensive three-year investigation, stemming from allegations that PCS posted patients’ clinical and surgical appointments on an internet-based calendar that was publicly accessible. It was also alleged that PCS transmitted ePHI from an internet-based email account to workforce members’ personal internet-based email accounts.
Through the course of its investigation, OCR found that PCS maintained insufficient policies and procedures to comply with the HIPAA Privacy and Security Rules and had implemented limited safeguards to protect patients’ ePHI. Among other deficiencies, OCR found that PCS failed to obtain satisfactory assurances from its cloud service providers.
Specifically, OCR concluded that PCS permitted an entity providing an internet-based email account to receive, store, maintain and transmit ePHI on PCS’s behalf without obtaining a business associate agreement with the entity. OCR also found that PCS permitted an entity providing an Internet-based calendar application to receive, store and maintain ePHI on its behalf without obtaining a business associate agreement with the entity.
The PCS settlement makes clear that appropriate business associate agreements with providers of cloud services are required, at least where the provision of service includes storage of and access to ePHI. OCR reiterated this point in its 2013 Final Omnibus Rule.
Final Omnibus Rule
While entities that provide mere data transmission services and have only random or infrequent access to ePHI are not considered business associates, OCR made clear that entities that store or maintain ePHI qualify as business associates because they have access to PHI, even if the they do not actually view the information or do so only on a random or infrequent basis.
While acknowledging there is an exception to the definition of “business associate” for conduits, OCR emphasized that the exception is narrow. As OCR explained, “[w]e note that the conduit exception is limited to transmission services (whether digital or hard copy), including any temporary storage of transmitted data incident to such transmission.
In contrast, an entity that maintains protected health information on behalf of a covered entity is a business associate and not a conduit, even if the entity does not actually view the protected health information.” (
OCR’s David Holtzman recently discussed the PCS settlement at the Annual Compliance Institute of the Health Care Compliance Association, making the following recommendation to covered entities: “If you use a cloud service, it should be your business associate. If they refuse to sign a business associate agreement, don’t use the cloud service.”
Joy Pritts, chief privacy officer in the Office of the National Coordinator for Health IT, made similar statements prior to the release of the Final Omnibus Rule. At a Jan. 7 panel discussion on cloud computing hosted by Patient Privacy Rights, she observed that movement of health data to the cloud was inevitable and stated that the Rule would clarify that all business associates with access to PHI would be required to follow the HIPAA privacy and security rules. According to Pritts, “[t]hat brings cloud services under direct regulation of HIPAA.”
Potential Penalties
While the PCS settlement is relatively modest in amount, failure to enter into appropriate business associate agreements and implement other appropriate safeguards could result in even higher penalties under HIPAA.
Failure to sign a business associate agreement where one is required violates HIPAA and, like all HIPAA violations, is punishable by civil and criminal penalties. Each day of non-compliance may be a separate violation with civil penalties of up to $50,000 per violation and up to $1.5 million per calendar year for multiple violations of an identical provision.
Of course, if an action or inaction implicates multiple HIPAA requirements, as does the failure to enter into a business associate agreement pursuant to requirements under both the Privacy Rule and the Security Rule, civil penalties can be higher than $1.5 million. Moreover, there can be significant damage to an entity’s business reputation if the entity becomes the target of a government investigation.
In addition to the risk of enforcement by the federal government, state attorneys general may seek damages with respect to health information of their residents of up to $100 per violation and up to $25,000 per calendar year for multiple violations of an identical provision. Thus, all total, legal exposure could easily reach the millions of dollars for a continuing failure to safeguard PHI. There is precedent for such a penalty, as OCR has pursued settlements exceeding $1 million against other covered entities for violations of the Privacy and Security Rules.
OCR’s investigation of PCS—a provider of cardiothoracic surgery physician services to patients—also makes clear that the agency will aggressively pursue Privacy and Security Rule violations, regardless of the size of the provider. Leon Rodriguez, director of OCR, cautions that OCR “… hope[s] that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.”
Recommendations
HIPAA compliance need not be an obstacle to obtaining the operational and cost efficiencies of cloud computing, but, to help avoid the risk of a costly HIPAA violation, covered entities should consider only cloud service providers that offer a HIPAA-compliant business associate agreement. Such business associate agreements should, at a minimum, require such entities to:
• Implement reasonable and appropriate administrative, physical, and technical safeguards as required by HIPAA;
• Limit its uses and disclosures of the covered entity’s PHI, including assurance that PHI will not be mined for the business associate’s advertising or other commercial purposes or for any secondary purpose unrelated to providing cloud services to the covered entity;
• Notify the covered entity’s customers of any uses and disclosures that are not permitted under the business associate agreement, of security incidents, and of breaches of unsecured PHI; and
• Facilitate the rights of covered entity customers to access, amend, and receive an accounting of disclosures with respect to their PHI.
In addition, covered entities should ensure that their cloud service providers implement administrative, physical and technical safeguards in compliance with the HIPAA Security Rule, including, but not limited to, access and authentication controls; encryption of electronic transmissions or other technical security measures to guard against unauthorized access to ePHI transmitted over electronic communication networks; and intrusion detection software or other policies and procedures for identifying, responding to, reporting, and mitigating security incidents.
Learn more about Bloomberg Law or Log In to keep reading:
Learn About Bloomberg Law
AI-powered legal analytics, workflow tools and premium legal & business news.
Already a subscriber?
Log in to keep reading or access research tools.