What if a HIPAA covered entity (or business associate) uses a CSP to maintain ePHI without first executing a business associate agreement with that CSP? What if a HIPAA covered entity (or business associate) uses a CSP to maintain ePHI without first executing a business associate agreement with that CSP?
Issued by: Office for Civil Rights (OCR)
What if a HIPAA covered
entity (or business associate) uses a CSP to maintain ePHI without
first executing a business associate agreement with that CSP?
Answer:
If a covered entity (or business associate) uses a CSP to maintain
(e.g., to process or store) electronic protected health information
(ePHI) without entering into a BAA with the CSP, the covered entity (or
business associate) is in violation of the HIPAA Rules. 45 C.F.R
§§164.308(b)(1) and §164.502(e). OCR has entered into a resolution agreement and corrective action plan
with a covered entity that OCR determined stored ePHI of over 3,000
individuals on a cloud-based server without entering into a BAA with the
CSP.[1]
Further, a CSP that meets the definition of a business associate –
that is a CSP that creates, receives, maintains, or transmits PHI on
behalf of a covered entity or another business associate – must comply
with all applicable provisions of the HIPAA Rules, regardless of whether
it has executed a BAA with the entity using its services. See 78 Fed.
Reg. 5565, 5598 (January 25, 2013). OCR recognizes that there may,
however, be circumstances where a CSP may not have actual or
constructive knowledge that a covered entity or another business
associate is using its services to create, receive, maintain, or
transmit ePHI. The HIPAA Rules provide an affirmative defense in cases
where a CSP takes action to correct any non-compliance within 30 days
(or such additional period as OCR may determine appropriate based on the
nature and extent of the non-compliance) of the time that it knew or
should have known of the violation (e.g., at the point the CSP knows or
should have known that a covered entity or business associate customer
is maintaining ePHI in its cloud). 45 CFR 160.410. This affirmative
defense does not, however, apply in cases where the CSP was not aware of
the violation due to its own willful neglect.
If a CSP becomes aware that it is maintaining ePHI, it must come into
compliance with the HIPAA Rules, or securely return the ePHI to the
customer or, if agreed to by the customer, securely destroy the ePHI.
Once the CSP securely returns or destroys the ePHI (subject to
arrangement with the customer), it is no longer a business associate.
We recommend CSPs document these actions.
While a CSP maintains ePHI, the HIPAA Rules prohibit the CSP from
using or disclosing the data in a manner that is inconsistent with the
Rules.
| Issued by: Office for Civil Rights (OCR) Do the HIPAA Rules allow a covered entity or business associate to use a CSP that stores ePHI on servers outside of the United States? Answer: Yes, provided the covered entity (or business associate) enters into a business associate agreement (BAA) with the CSP and otherwise complies with the applicable requirements of the HIPAA Rules. However, while the HIPAA Rules do not include requirements specific to protection of electronic protected health information (ePHI) processed or stored by a CSP or any other business associate outside of the United States, OCR notes that ...read more |
| Outpatient Surgical Facility Corrects Privacy Procedure in Research Recruitment Covered Entity: Outpatient Facility Issue: Impermissible Uses and Disclosures An outpatient surgical facility disclosed a patient's protected health information (PHI) to a research entity for recruitment purposes without the patient's authorization or an Institutional Review Board (IRB) or privacy-board-approved waiver of authorization. The outpatient facility reportedly believed that such disclosures were permitted by the Privacy Rule. OCR provided technical assistance to the covered entity regarding the requirement that covered entities seeking to disclose PHI for research recruitment purposes must obtain either a valid patient authorization or an Institutional Review Board ...read more |
| If a CSP stores only encrypted ePHI and does not have a decryption key, is it a HIPAA business associate? Answer: Yes, because the CSP receives and maintains (e.g., to process and/or store) electronic protected health information (ePHI) for a covered entity or another business associate. Lacking an encryption key for the encrypted data it receives and maintains does not exempt a CSP from business associate status and associated obligations under the HIPAA Rules. An entity that maintains ePHI on behalf of a covered entity (or another business associate) is a business associate, even if the entity cannot actually ...read more |
| Private Practice Revises Process to Provide Access to Records Regardless of Payment Source Covered Entity: Private Practices Issue: Access At the direction of an insurance company that had requested an independent medical exam of an individual, a private medical practice denied the individual a copy of the medical records. OCR determined that the private practice denied the individual access to records to which she was entitled by the Privacy Rule. Among other corrective actions to resolve the specific issues in the case, OCR required that the private practice revise its policies and procedures regarding access requests to reflect the ...read more |
|
July 2026
| Su | Mo | Tu | We | Th | Fr | Sa |
| | | 1 | 2 | 3 | 4 |
| 5 | 6 | 7 | 8 | 9 | 10 | 11 |
| 12 | 13 | 14 | 15 | 16 | 17 | 18 |
| 19 | 20 | 21 | 22 | 23 | 24 | 25 |
| 26 | 27 | 28 | 29 | 30 | 31 |
Blog Home
Newest Blog Entries
1/21/25 Understanding Business Associate Agreements
11/12/22 Modernizing Medicine Agrees to Pay $45 Million to Resolve Allegations of Accepting and Paying Illegal Kickbacks and Causing False Claims
11/12/22 Indian National Charged in $8 Million COVID-19 Relief Fraud Scheme
11/12/22 Former Hospital Employee Pleads Guilty To Criminal HIPPA Charges
11/12/22 Covered entities and those persons rendered accountable by general principles of corporate criminal liability may be prosecuted directly under 42 U.S.C. § 1320d-6
11/12/22 The Delaware Division of Developmental Disabilities Services Data Breach
11/12/22 OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA
11/12/22 HHS Issues Guidance on HIPAA and Audio-Only Telehealth
11/12/22 Five Former Methodist Hospital Employees Charged with HIPAA Violations
11/12/22 May a covered entity use or disclose protected health information for litigation?
11/12/22 When does the Privacy Rule allow covered entities to disclose protected health information to law enforcement officials?
Blog Archives
November 2022 (54) January 2025 (1)
Blog Labels
EHR Fraud (1) Telehealth (1) Covered Entity (40) PPP Fraud (1) ePHI (2) HIPAA (2) HIPAA Enforcement (3) Data Breach (1) BAA (4)
|