If a CSP stores only encrypted ePHI and does not have a decryption key, is it a HIPAA business associate? If a CSP stores only encrypted ePHI and does not have a decryption key, is it a HIPAA business associate?
If a CSP stores only encrypted ePHI and does not have a decryption key, is it a HIPAA business associate?
Answer:
Yes, because the CSP receives and maintains (e.g., to process and/or
store) electronic protected health information (ePHI) for a covered
entity or another business associate. Lacking an encryption key for the
encrypted data it receives and maintains does not exempt a CSP from
business associate status and associated obligations under the HIPAA
Rules. An entity that maintains ePHI on behalf of a covered entity (or
another business associate) is a business associate, even if the entity
cannot actually view the ePHI.[1]
Thus, a CSP that maintains encrypted ePHI on behalf a covered entity
(or another business associate) is a business associate, even if it does
not hold a decryption key[i] and therefore cannot view the information. For convenience purposes this guidance uses the term no-view services
to describe the situation in which the CSP maintains encrypted ePHI on
behalf of a covered entity (or another business associate) without
having access to the decryption key.
While encryption protects ePHI by significantly reducing the risk of
the information being viewed by unauthorized persons, such protections
alone cannot adequately safeguard the confidentiality, integrity, and
availability of ePHI as required by the Security Rule. Encryption does
not maintain the integrity and availability of the ePHI, such as
ensuring that the information is not corrupted by malware, or ensuring
through contingency planning that the data remains available to
authorized persons even during emergency or disaster situations.
Further, encryption does not address other safeguards that are also
important to maintaining confidentiality, such as administrative
safeguards to analyze risks to the ePHI or physical safeguards for
systems and servers that may house the ePHI.
As a business associate, a CSP providing no-view services is not
exempt from any otherwise applicable requirements of the HIPAA Rules.
However, the requirements of the Rules are flexible and scalable to take
into account the no-view nature of the services provided by the CSP.
| Large Medicaid Plan Corrects Vulnerability that Resulted in Disclosure to Non-BA Vendors Covered Entity: Health Plans Issue: Impermissible Uses and Disclosures; Safeguards A municipal social service agency disclosed protected health information while processing Medicaid applications by sending consolidated data to computer vendors that were not business associates. Among other corrective actions to resolve the specific issues in the case, OCR required that the social service agency develop procedures for properly disclosing protected health information only to its valid business associates and to train its staff on the new processes. The new procedures were instituted in Medicaid offices and independent ...read more |
| Private Practice Implements Safeguards for Waiting Rooms Covered Entity: Private Practice Issue: Safeguards; Impermissible Uses and Disclosures A staff member of a medical practice discussed HIV testing procedures with a patient in the waiting room, thereby disclosing PHI to several other individuals. Also, computer screens displaying patient information were easily visible to patients. Among other corrective actions to resolve the specific issues in the case, OCR required the provider to develop and implement policies and procedures regarding appropriate administrative and physical safeguards related to the communication of PHI. The practice trained all staff on the newly developed policies and ...read more |
| No Business Associate Agreement? $31K Mistake The Center for Children’s Digestive Health (CCDH) has paid the U.S. Department of Health and Human Services (HHS) $31,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule and agreed to implement a corrective action plan. CCDH is a small, for-profit health care provider with a pediatric subspecialty practice that operates its practice in seven clinic locations in Illinois. In August 2015, the HHS Office for Civil Rights (OCR) initiated a compliance review of the Center for Children’s Digestive Health (CCDH) following an initiation ...read more |
| Private Practice Revises Process to Provide Access to Records Regardless of Payment Source Covered Entity: Private Practices Issue: Access At the direction of an insurance company that had requested an independent medical exam of an individual, a private medical practice denied the individual a copy of the medical records. OCR determined that the private practice denied the individual access to records to which she was entitled by the Privacy Rule. Among other corrective actions to resolve the specific issues in the case, OCR required that the private practice revise its policies and procedures regarding access requests to reflect the ...read more |
|
December 2025
| Su | Mo | Tu | We | Th | Fr | Sa |
| 1 | 2 | 3 | 4 | 5 | 6 |
| 7 | 8 | 9 | 10 | 11 | 12 | 13 |
| 14 | 15 | 16 | 17 | 18 | 19 | 20 |
| 21 | 22 | 23 | 24 | 25 | 26 | 27 |
| 28 | 29 | 30 | 31 |
|
Blog Home
Newest Blog Entries
1/21/25 Understanding Business Associate Agreements
11/12/22 Modernizing Medicine Agrees to Pay $45 Million to Resolve Allegations of Accepting and Paying Illegal Kickbacks and Causing False Claims
11/12/22 Indian National Charged in $8 Million COVID-19 Relief Fraud Scheme
11/12/22 Former Hospital Employee Pleads Guilty To Criminal HIPPA Charges
11/12/22 Covered entities and those persons rendered accountable by general principles of corporate criminal liability may be prosecuted directly under 42 U.S.C. § 1320d-6
11/12/22 The Delaware Division of Developmental Disabilities Services Data Breach
11/12/22 OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA
11/12/22 HHS Issues Guidance on HIPAA and Audio-Only Telehealth
11/12/22 Five Former Methodist Hospital Employees Charged with HIPAA Violations
11/12/22 May a covered entity use or disclose protected health information for litigation?
11/12/22 When does the Privacy Rule allow covered entities to disclose protected health information to law enforcement officials?
Blog Archives
January 2025 (1)
November 2022 (54)
Blog Labels
HIPAA (2)
EHR Fraud (1)
BAA (4)
HIPAA Enforcement (3)
Data Breach (1)
PPP Fraud (1)
Telehealth (1)
ePHI (2)
Covered Entity (40)
|
