If a CSP stores only encrypted ePHI and does not have a decryption key, is it a HIPAA business associate? If a CSP stores only encrypted ePHI and does not have a decryption key, is it a HIPAA business associate?
If a CSP stores only encrypted ePHI and does not have a decryption key, is it a HIPAA business associate?
Answer:
Yes, because the CSP receives and maintains (e.g., to process and/or
store) electronic protected health information (ePHI) for a covered
entity or another business associate. Lacking an encryption key for the
encrypted data it receives and maintains does not exempt a CSP from
business associate status and associated obligations under the HIPAA
Rules. An entity that maintains ePHI on behalf of a covered entity (or
another business associate) is a business associate, even if the entity
cannot actually view the ePHI.[1]
Thus, a CSP that maintains encrypted ePHI on behalf a covered entity
(or another business associate) is a business associate, even if it does
not hold a decryption key[i] and therefore cannot view the information. For convenience purposes this guidance uses the term no-view services
to describe the situation in which the CSP maintains encrypted ePHI on
behalf of a covered entity (or another business associate) without
having access to the decryption key.
While encryption protects ePHI by significantly reducing the risk of
the information being viewed by unauthorized persons, such protections
alone cannot adequately safeguard the confidentiality, integrity, and
availability of ePHI as required by the Security Rule. Encryption does
not maintain the integrity and availability of the ePHI, such as
ensuring that the information is not corrupted by malware, or ensuring
through contingency planning that the data remains available to
authorized persons even during emergency or disaster situations.
Further, encryption does not address other safeguards that are also
important to maintaining confidentiality, such as administrative
safeguards to analyze risks to the ePHI or physical safeguards for
systems and servers that may house the ePHI.
As a business associate, a CSP providing no-view services is not
exempt from any otherwise applicable requirements of the HIPAA Rules.
However, the requirements of the Rules are flexible and scalable to take
into account the no-view nature of the services provided by the CSP.
| Must a covered entity inform individuals in advance of any fees that may be charged when the individuals request a copy of their PHI? This guidance remains in effect only to the extent that it is consistent with the court’s order in Ciox Health, LLC v. Azar, No. 18-cv-0040 (D.D.C. January 23, 2020), which may be found at https://ecf.dcd.uscourts.gov/cgi-bin/show_public_doc?2018cv0040-51. More information about the order is available at https://www.hhs.gov/hipaa/court-order-right-of-access/index.html. Any provision within this guidance that has been vacated by the Ciox Health decision is rescinded. Yes. When an individual requests access to her PHI and the covered entity intends to charge the ...read more |
| If a CSP stores only encrypted ePHI and does not have a decryption key, is it a HIPAA business associate? Answer: Yes, because the CSP receives and maintains (e.g., to process and/or store) electronic protected health information (ePHI) for a covered entity or another business associate. Lacking an encryption key for the encrypted data it receives and maintains does not exempt a CSP from business associate status and associated obligations under the HIPAA Rules. An entity that maintains ePHI on behalf of a covered entity (or another business associate) is a business associate, even if the entity cannot actually ...read more |
| Private Practice Ceases Conditioning of Compliance with the Privacy Rule Covered Entity: Private Practice Issue: Conditioning Compliance with the Privacy Rule A physician practice requested that patients sign an agreement entitled “Consent and Mutual Agreement to Maintain Privacy.” The agreement prohibited the patient from directly or indirectly publishing or airing commentary about the physician, his expertise, and/or treatment in exchange for the physician’s compliance with the Privacy Rule. A patient’s rights under the Privacy Rule are not contingent on the patient’s agreement with a covered entity. A covered entity’s obligation to comply with all requirements of the Privacy Rule ...read more |
| Hospital Revises Email Distribution as a Result of a Disclosure to Persons Without a "Need to Know" Covered Entity: General Hospital Issue: Impermissible Use and Disclosure A complainant, who was both a patient and an employee of the hospital, alleged that her protected health information (PHI) was impermissibly disclosed to her supervisor. OCR’s investigation revealed that: the hospital distributed an Operating Room (OR) schedule to employees via email; the hospital’s OR schedule contained information about the complainant’s upcoming surgery. While the Privacy Rule may permit the disclosure of an OR schedule containing PHI, in this case, a hospital employee ...read more |
|
May 2026
| Su | Mo | Tu | We | Th | Fr | Sa |
| | | | | 1 | 2 |
| 3 | 4 | 5 | 6 | 7 | 8 | 9 |
| 10 | 11 | 12 | 13 | 14 | 15 | 16 |
| 17 | 18 | 19 | 20 | 21 | 22 | 23 |
| 24 | 25 | 26 | 27 | 28 | 29 | 30 |
| 31 |
Blog Home
Newest Blog Entries
1/21/25 Understanding Business Associate Agreements
11/12/22 Modernizing Medicine Agrees to Pay $45 Million to Resolve Allegations of Accepting and Paying Illegal Kickbacks and Causing False Claims
11/12/22 Indian National Charged in $8 Million COVID-19 Relief Fraud Scheme
11/12/22 Former Hospital Employee Pleads Guilty To Criminal HIPPA Charges
11/12/22 Covered entities and those persons rendered accountable by general principles of corporate criminal liability may be prosecuted directly under 42 U.S.C. § 1320d-6
11/12/22 The Delaware Division of Developmental Disabilities Services Data Breach
11/12/22 OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA
11/12/22 HHS Issues Guidance on HIPAA and Audio-Only Telehealth
11/12/22 Five Former Methodist Hospital Employees Charged with HIPAA Violations
11/12/22 May a covered entity use or disclose protected health information for litigation?
11/12/22 When does the Privacy Rule allow covered entities to disclose protected health information to law enforcement officials?
Blog Archives
November 2022 (54)
January 2025 (1)
Blog Labels
Data Breach (1)
HIPAA Enforcement (3)
Covered Entity (40)
Telehealth (1)
PPP Fraud (1)
BAA (4)
EHR Fraud (1)
ePHI (2)
HIPAA (2)
|
