If a CSP stores only encrypted ePHI and does not have a decryption key, is it a HIPAA business associate? If a CSP stores only encrypted ePHI and does not have a decryption key, is it a HIPAA business associate?
If a CSP stores only encrypted ePHI and does not have a decryption key, is it a HIPAA business associate?
Answer:
Yes, because the CSP receives and maintains (e.g., to process and/or
store) electronic protected health information (ePHI) for a covered
entity or another business associate. Lacking an encryption key for the
encrypted data it receives and maintains does not exempt a CSP from
business associate status and associated obligations under the HIPAA
Rules. An entity that maintains ePHI on behalf of a covered entity (or
another business associate) is a business associate, even if the entity
cannot actually view the ePHI.[1]
Thus, a CSP that maintains encrypted ePHI on behalf a covered entity
(or another business associate) is a business associate, even if it does
not hold a decryption key[i] and therefore cannot view the information. For convenience purposes this guidance uses the term no-view services
to describe the situation in which the CSP maintains encrypted ePHI on
behalf of a covered entity (or another business associate) without
having access to the decryption key.
While encryption protects ePHI by significantly reducing the risk of
the information being viewed by unauthorized persons, such protections
alone cannot adequately safeguard the confidentiality, integrity, and
availability of ePHI as required by the Security Rule. Encryption does
not maintain the integrity and availability of the ePHI, such as
ensuring that the information is not corrupted by malware, or ensuring
through contingency planning that the data remains available to
authorized persons even during emergency or disaster situations.
Further, encryption does not address other safeguards that are also
important to maintaining confidentiality, such as administrative
safeguards to analyze risks to the ePHI or physical safeguards for
systems and servers that may house the ePHI.
As a business associate, a CSP providing no-view services is not
exempt from any otherwise applicable requirements of the HIPAA Rules.
However, the requirements of the Rules are flexible and scalable to take
into account the no-view nature of the services provided by the CSP.
| Wednesday, November 9, 2022 A federal grand jury in Newark, New Jersey, returned an indictment today charging an Indian national for fraudulently obtaining millions of dollars in Paycheck Protection Program (PPP) loans guaranteed by the Small Business Administration (SBA) under the Coronavirus Aid, Relief, and Economic Security (CARES) Act. According to court documents, Abhishek Krishnan, 40, previously resided in Wake County, North Carolina, before returning to his home country of India. After returning to India, Krishnan allegedly submitted numerous fraudulent PPP loan applications to federally insured banks, including on behalf of purported companies that were not registered business entities. ...read more |
| Public Hospital Corrects Impermissible Disclosure of PHI in Response to a Subpoena Covered Entity: General Hospital Issue: Impermissible Uses and Disclosures A public hospital, in response to a subpoena (not accompanied by a court order), impermissibly disclosed the protected health information (PHI) of one of its patients. Contrary to the Privacy Rule protections for information sought for administrative or judicial proceedings, the hospital failed to determine that reasonable efforts had been made to insure that the individual whose PHI was being sought received notice of the request and/or failed to receive satisfactory assurance that the party seeking the information ...read more |
| When does the Privacy Rule allow covered entities to disclose protected health information to law enforcement officials? Answer: The Privacy Rule is balanced to protect an individual’s privacy while allowing important law enforcement functions to continue. The Rule permits covered entities to disclose protected health information (PHI) to law enforcement officials, without the individual’s written authorization, under specific circumstances summarized below. For a complete understanding of the conditions and requirements for these disclosures, please review the exact regulatory text at the citations provided. Disclosures for law enforcement purposes are permitted as follows: To comply with a court order or ...read more |
| May a covered entity use or disclose protected health information for litigation? Answer: A covered entity may use or disclose protected health information as permitted or required by the Privacy Rule, see 45 CFR 164.502(a) (PDF); and, subject to certain conditions the Rule typically permits uses and disclosures for litigation, whether for judicial or administrative proceedings, under particular provisions for judicial and administrative proceedings set forth at 45 CFR 164.512(e) (GPO), or as part of the covered entity’s health care operations, 45 CFR 164.506(a) (PDF). Depending on the context, a covered entity’s use or disclosure of protected health information in ...read more |
|
August 2025
| Su | Mo | Tu | We | Th | Fr | Sa |
| | | | | 1 | 2 |
| 3 | 4 | 5 | 6 | 7 | 8 | 9 |
| 10 | 11 | 12 | 13 | 14 | 15 | 16 |
| 17 | 18 | 19 | 20 | 21 | 22 | 23 |
| 24 | 25 | 26 | 27 | 28 | 29 | 30 |
| 31 |
Blog Home
Newest Blog Entries
1/21/25 Understanding Business Associate Agreements
11/12/22 Modernizing Medicine Agrees to Pay $45 Million to Resolve Allegations of Accepting and Paying Illegal Kickbacks and Causing False Claims
11/12/22 Indian National Charged in $8 Million COVID-19 Relief Fraud Scheme
11/12/22 Former Hospital Employee Pleads Guilty To Criminal HIPPA Charges
11/12/22 Covered entities and those persons rendered accountable by general principles of corporate criminal liability may be prosecuted directly under 42 U.S.C. § 1320d-6
11/12/22 The Delaware Division of Developmental Disabilities Services Data Breach
11/12/22 OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA
11/12/22 HHS Issues Guidance on HIPAA and Audio-Only Telehealth
11/12/22 Five Former Methodist Hospital Employees Charged with HIPAA Violations
11/12/22 May a covered entity use or disclose protected health information for litigation?
11/12/22 When does the Privacy Rule allow covered entities to disclose protected health information to law enforcement officials?
Blog Archives
January 2025 (1)
November 2022 (54)
Blog Labels
HIPAA Enforcement (3)
Data Breach (1)
PPP Fraud (1)
ePHI (2)
Telehealth (1)
BAA (4)
EHR Fraud (1)
Covered Entity (40)
HIPAA (2)
|
