NBJ Online | Column of the Month
By Kelly L. Frey
New guidance from the Department of Health and Human Services determines Cloud Service Providers (CSPs) that create, receive, maintain, or transmit electronic protected health information (ePHI) [on behalf of covered entities] … are Business Associates under HIPAA. That conclusion has far-reaching effects and will require immediate remediation by many covered entities (and business associates acting on their behalf, since the new guidance includes subcontractors of business associates). The most important step any covered entity or business associate involved in cloud computing activities need to take is to immediately supplement their cloud agreements with formal Business Associate Agreements (BAAs) and assure that their cloud provider is in compliance with HIPAA privacy, security, and breach notification rules. The guidance provides:
When a covered entity engages the services of a CSP to create, receive, maintain, or transmit ePHI (such as to process and/or store ePHI), on its behalf, the CSP is a business associate under HIPAA. Further, when a business associate subcontracts with a CSP to create, receive, maintain, or transmit ePHI on its behalf, the CSP subcontractor itself is a business associate. This is true even if the CSP processes or stores only encrypted ePHI and lacks an encryption key for the data. Lacking an encryption key does not exempt a CSP from business associate status and obligations under the HIPAA Rules. As a result, the covered entity (or business associate) and the CSP must enter into a HIPAA-compliant business associate agreement (BAA), and the CSP is both contractually liable for meeting the terms of the BAA and directly liable for compliance with the applicable requirements of the HIPAA Rules.
The guidance specifically addresses the chain of contracts and relationships that may exist across a number of contractors and subcontractors involved in ePHI information flow in the cloud environment: “[I]f a HIPAA Business Associate subcontracts with a CSP to create, receive, maintain, or transmit ePHI on the BA's behalf, then the CSP subcontractor is itself a BA.”
Previously CSPs have sought exemption from HIPAA BA requirements as being merely a “conduit” of the electronic data flow—contending that a CSP is a “transmission-only” service. The guidance disagrees with this analysis and concludes that CSPs are BAs even if the CSP does not actually view the ePHI (i.e., the iPHI is encrypted and the CSP does not have the key). As a result, a CSP must ensure that it only uses and discloses the encrypted information as permitted by its BAA and HIPAA's Privacy Rule. Further, the HIPAA Privacy Rule also imposes standards regarding BAAs, which HHS's guidance addresses in the cloud computing context. (For example, a BA must make ePHI available as necessary for any covered entity to meet its obligations to provide individuals with their rights to access, amend, and receive an accounting of certain disclosures of ePHI and must satisfy HIPAA's breach notification requirements.)
Covered Entities and Business Associates using cloud services should immediately audit their agreements to confirm that appropriate Service Level Agreements (SLAs) are in place that are compliant with the guidance and assure that they have Business Agreements in place with each CSP (and confirm that their agreements push the BAA requirements to the CSP subcontractors). CSPs should immediately audit their service standards to assure that they are HIPAA compliant and that they have control processes in place to address the remediation and notice provisions with respect to ePHI. For additional information from the Department of Health and Human Services, click here.
by Noel Bagwell
My column is new to the NBJ, so, please indulge me in a brief orientation to the purpose of this column, in general, and this article, in particular. Herein, I aim to discuss timely issues from a preventive legal perspective. The goal is to help my readers (and their clients) foresee legal risks, and guide them toward legal solutions that will address those risks before they become expensive legal problems.
From time to time, I consult with individuals who are interested in entering or otherwise operating in the market for legally growing or selling cannabis. At the state level, several states recently have decriminalized recreational marijuana use, among these California and Massachusetts. Senator Jeff Sessions, President-Elect Donald J. Trump’s choice for Attorney General, is known to be an ardent opponent of making marijuana legal.
Everyone would do well to remember that marijuana is still illegal, nationwide, under federal law. Activists opposed to the continued prohibition of illegal drugs, including marijuana, are concerned that Sessions’s appointment may lead to more federal law enforcement raids of marijuana operations in states where marijuana has been decriminalized at the state level.
During his campaign, President-elect Trump promised to respect state laws on the issue of marijuana. During his confirmation hearing on January 10, however, Sen. Sessions affirmed his understanding of the role of the Attorney General in the executive branch of the federal government—specifically stating that it was his job to carry out the laws created and passed by Congress. This leaves Sen. Sessions ensconced firmly between a rock and a hard place, between doing what he knows is his duty, under the law, and doing what is politically popular, not to mention what may please the President at whose pleasure he would serve as Attorney General.
When advising prospective clients who have approached me with an interest in operating in the market for legally growing or selling cannabis, I have advised extreme caution, citing the federal illegality of such endeavors. Patiently and with a gentle spirit, I remind such entrepreneurs that the very foundations of their enterprise are still quite illegal, and could expose them not only to great pecuniary losses and civil legal penalties, but to criminal penalties as well.
Unlike Senator Sessions, the Obama administration’s Attorneys General have exhibited a shockingly deficient understanding of its role in the federal government, preferring to facilitate administrative and executive rule over the nation, rather than simply, fairly enforcing the laws passed by Congress and interpreted by the Supreme Court. Let me say this as charitably as I can. Under the Obama regime, laws with which the president and those who serve at his pleasure disagree, at best, have been unevenly enforced. This has led to great criticism and confusion of the Obama administration’s approach to the issue of the decriminalization of marijuana.
Tom Dickinson’s 2012 article in Rolling Stone, Obama’s War on Pot, echoed activists’ claims that “There's no question that Obama's the worst president on medical marijuana,” according to Rob Kampia, executive director of the Marijuana Policy Project, who added, “He's gone from first to worst.” Hopeful cannabis industry entrepreneurs would do well to remember that, in 2008, when Obama was running for President, he said, “I'm not going to be using Justice Department resources to try to circumvent state laws on this issue.” Sound familiar?
When starting a business—or growing one—a savvy businessperson will take precautions to ensure their business activities are legal at every level of government: local, state, and federal. To engage in what some might believe to be a legal “gray area” between state and federal law is to court disaster.