If a CSP stores only encrypted ePHI and does not have a decryption key, is it a HIPAA business associate? If a CSP stores only encrypted ePHI and does not have a decryption key, is it a HIPAA business associate?
If a CSP stores only encrypted ePHI and does not have a decryption key, is it a HIPAA business associate?
Answer:
Yes, because the CSP receives and maintains (e.g., to process and/or
store) electronic protected health information (ePHI) for a covered
entity or another business associate. Lacking an encryption key for the
encrypted data it receives and maintains does not exempt a CSP from
business associate status and associated obligations under the HIPAA
Rules. An entity that maintains ePHI on behalf of a covered entity (or
another business associate) is a business associate, even if the entity
cannot actually view the ePHI.[1]
Thus, a CSP that maintains encrypted ePHI on behalf a covered entity
(or another business associate) is a business associate, even if it does
not hold a decryption key[i] and therefore cannot view the information. For convenience purposes this guidance uses the term no-view services
to describe the situation in which the CSP maintains encrypted ePHI on
behalf of a covered entity (or another business associate) without
having access to the decryption key.
While encryption protects ePHI by significantly reducing the risk of
the information being viewed by unauthorized persons, such protections
alone cannot adequately safeguard the confidentiality, integrity, and
availability of ePHI as required by the Security Rule. Encryption does
not maintain the integrity and availability of the ePHI, such as
ensuring that the information is not corrupted by malware, or ensuring
through contingency planning that the data remains available to
authorized persons even during emergency or disaster situations.
Further, encryption does not address other safeguards that are also
important to maintaining confidentiality, such as administrative
safeguards to analyze risks to the ePHI or physical safeguards for
systems and servers that may house the ePHI.
As a business associate, a CSP providing no-view services is not
exempt from any otherwise applicable requirements of the HIPAA Rules.
However, the requirements of the Rules are flexible and scalable to take
into account the no-view nature of the services provided by the CSP.
| Hospital Issues Guidelines Regarding Disclosures to Avert Threats to Health or Safety Covered Entity: General Hospital Issue: Safeguards; Impermissible Uses and Disclosures; Disclosures to Avert a Serious Threat to Health or Safety After treating a patient injured in a rather unusual sporting accident, the hospital released to the local media, without the patient’s authorization, copies of the patient’s skull x-ray as well as a description of the complainant’s medical condition. The local newspaper then featured on its front page the individual’s x-ray and an article that included the date of the accident, the location of the accident, the patient’s ...read more |
| Health Plan Corrects Impermissible Disclosure of PHI through Training, Mitigation, and Sanctions Covered Entity: Health Plans Issue: Impermissible Uses and Disclosures An employee of a major health insurer impermissibly disclosed the protected health information of one of its members without following the insurer's authorization and verification procedures. Among other corrective actions to resolve the specific issues in the case, OCR required the health insurer to train its staff on the applicable policies and procedures and to mitigate the harm to the individual. In addition, the employee who made the disclosure was counseled and given a written warning. ...read more |
| Entity Rescinds Improper Charges for Medical Record Copies to Reflect Reasonable, Cost-Based Fees Covered Entity: Private Practice Issue: Access A patient alleged that a covered entity failed to provide him access to his medical records. After OCR notified the entity of the allegation, the entity released the complainant’s medical records but also billed him $100.00 for a “records review fee” as well as an administrative fee. The Privacy Rule permits the imposition of a reasonable cost-based fee that includes only the cost of copying and postage and preparing an explanation or summary if agreed to by the individual. To ...read more |
| § 164.314 Organizational requirements. (a) (1) Standard: Business associate contracts or other arrangements. The contract or other arrangement required by § 164.308(b)(3) must meet the requirements of paragraph (a)(2)(i), (a)(2)(ii), or (a)(2)(iii) of this section, as applicable. (2) Implementation specifications (Required) - (i) Business associate contracts. The contract must provide that the business associate will - (A) Comply with the applicable requirements of this subpart; (B) In accordance with § 164.308(b)(2), ensure that any subcontractors that create, receive, maintain, or transmit electronic protected health information on behalf of the business associate agree to comply with the applicable requirements of ...read more |
|
February 2026
| Su | Mo | Tu | We | Th | Fr | Sa |
| 1 | 2 | 3 | 4 | 5 | 6 | 7 |
| 8 | 9 | 10 | 11 | 12 | 13 | 14 |
| 15 | 16 | 17 | 18 | 19 | 20 | 21 |
| 22 | 23 | 24 | 25 | 26 | 27 | 28 |
|
|
Blog Home
Newest Blog Entries
1/21/25 Understanding Business Associate Agreements
11/12/22 Modernizing Medicine Agrees to Pay $45 Million to Resolve Allegations of Accepting and Paying Illegal Kickbacks and Causing False Claims
11/12/22 Indian National Charged in $8 Million COVID-19 Relief Fraud Scheme
11/12/22 Former Hospital Employee Pleads Guilty To Criminal HIPPA Charges
11/12/22 Covered entities and those persons rendered accountable by general principles of corporate criminal liability may be prosecuted directly under 42 U.S.C. § 1320d-6
11/12/22 The Delaware Division of Developmental Disabilities Services Data Breach
11/12/22 OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA
11/12/22 HHS Issues Guidance on HIPAA and Audio-Only Telehealth
11/12/22 Five Former Methodist Hospital Employees Charged with HIPAA Violations
11/12/22 May a covered entity use or disclose protected health information for litigation?
11/12/22 When does the Privacy Rule allow covered entities to disclose protected health information to law enforcement officials?
Blog Archives
January 2025 (1)
November 2022 (54)
Blog Labels
PPP Fraud (1)
HIPAA Enforcement (3)
Telehealth (1)
ePHI (2)
BAA (4)
Data Breach (1)
EHR Fraud (1)
Covered Entity (40)
HIPAA (2)
|
