If a CSP stores only encrypted ePHI and does not have a decryption key, is it a HIPAA business associate? If a CSP stores only encrypted ePHI and does not have a decryption key, is it a HIPAA business associate?
If a CSP stores only encrypted ePHI and does not have a decryption key, is it a HIPAA business associate?
Answer:
Yes, because the CSP receives and maintains (e.g., to process and/or
store) electronic protected health information (ePHI) for a covered
entity or another business associate. Lacking an encryption key for the
encrypted data it receives and maintains does not exempt a CSP from
business associate status and associated obligations under the HIPAA
Rules. An entity that maintains ePHI on behalf of a covered entity (or
another business associate) is a business associate, even if the entity
cannot actually view the ePHI.[1]
Thus, a CSP that maintains encrypted ePHI on behalf a covered entity
(or another business associate) is a business associate, even if it does
not hold a decryption key[i] and therefore cannot view the information. For convenience purposes this guidance uses the term no-view services
to describe the situation in which the CSP maintains encrypted ePHI on
behalf of a covered entity (or another business associate) without
having access to the decryption key.
While encryption protects ePHI by significantly reducing the risk of
the information being viewed by unauthorized persons, such protections
alone cannot adequately safeguard the confidentiality, integrity, and
availability of ePHI as required by the Security Rule. Encryption does
not maintain the integrity and availability of the ePHI, such as
ensuring that the information is not corrupted by malware, or ensuring
through contingency planning that the data remains available to
authorized persons even during emergency or disaster situations.
Further, encryption does not address other safeguards that are also
important to maintaining confidentiality, such as administrative
safeguards to analyze risks to the ePHI or physical safeguards for
systems and servers that may house the ePHI.
As a business associate, a CSP providing no-view services is not
exempt from any otherwise applicable requirements of the HIPAA Rules.
However, the requirements of the Rules are flexible and scalable to take
into account the no-view nature of the services provided by the CSP.
| Public Hospital Corrects Impermissible Disclosure of PHI in Response to a Subpoena Covered Entity: General Hospital Issue: Impermissible Uses and Disclosures A public hospital, in response to a subpoena (not accompanied by a court order), impermissibly disclosed the protected health information (PHI) of one of its patients. Contrary to the Privacy Rule protections for information sought for administrative or judicial proceedings, the hospital failed to determine that reasonable efforts had been made to insure that the individual whose PHI was being sought received notice of the request and/or failed to receive satisfactory assurance that the party seeking the information ...read more |
| Clinic Sanctions Supervisor for Accessing Employee Medical Record Covered Entity: Outpatient Facility Issue: Impermissible Use and Disclosure A hospital employee's supervisor accessed, examined, and disclosed an employee's medical record. OCR's investigation confirmed that the use and disclosure of protected health information by the supervisor was not authorized by the employee and was not otherwise permitted by the Privacy Rule. An employee's medical record is protected by the Privacy Rule, even though employment records held by a covered entity in its role as employer are not. Among other corrective actions to resolve the specific issues in the case, a letter ...read more |
| Private Practice Revises Process to Provide Access to Records Covered Entity: Private Practices Issue: Access A private practice failed to honor an individual's request for a complete copy of her minor son's medical record. OCR's investigation determined that the private practice had relied on state regulations that permit a covered entity to provide a summary of the record. OCR provided technical assistance to the covered entity, explaining that the Privacy Rule permits a covered entity to provide a summary of patient records rather than the full record only if the requesting individual agrees in advance to such a summary ...read more |
| Hospital Implements New Minimum Necessary Polices for Telephone Messages Covered Entity: General Hospital Issue: Minimum Necessary; Confidential Communications A hospital employee did not observe minimum necessary requirements when she left a telephone message with the daughter of a patient that detailed both her medical condition and treatment plan. An OCR investigation also indicated that the confidential communications requirements were not followed, as the employee left the message at the patient’s home telephone number, despite the patient’s instructions to contact her through her work number. To resolve the issues in this case, the hospital developed and implemented several new procedures. ...read more |
|
April 2026
| Su | Mo | Tu | We | Th | Fr | Sa |
| | | 1 | 2 | 3 | 4 |
| 5 | 6 | 7 | 8 | 9 | 10 | 11 |
| 12 | 13 | 14 | 15 | 16 | 17 | 18 |
| 19 | 20 | 21 | 22 | 23 | 24 | 25 |
| 26 | 27 | 28 | 29 | 30 |
|
Blog Home
Newest Blog Entries
1/21/25 Understanding Business Associate Agreements
11/12/22 Modernizing Medicine Agrees to Pay $45 Million to Resolve Allegations of Accepting and Paying Illegal Kickbacks and Causing False Claims
11/12/22 Indian National Charged in $8 Million COVID-19 Relief Fraud Scheme
11/12/22 Former Hospital Employee Pleads Guilty To Criminal HIPPA Charges
11/12/22 Covered entities and those persons rendered accountable by general principles of corporate criminal liability may be prosecuted directly under 42 U.S.C. § 1320d-6
11/12/22 The Delaware Division of Developmental Disabilities Services Data Breach
11/12/22 OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA
11/12/22 HHS Issues Guidance on HIPAA and Audio-Only Telehealth
11/12/22 Five Former Methodist Hospital Employees Charged with HIPAA Violations
11/12/22 May a covered entity use or disclose protected health information for litigation?
11/12/22 When does the Privacy Rule allow covered entities to disclose protected health information to law enforcement officials?
Blog Archives
November 2022 (54)
January 2025 (1)
Blog Labels
Data Breach (1)
Covered Entity (40)
BAA (4)
HIPAA (2)
HIPAA Enforcement (3)
Telehealth (1)
EHR Fraud (1)
ePHI (2)
PPP Fraud (1)
|
