by Adam Alban, Ph.D., J.D.
The question is this: "For the purposes of HIPAA, if you have adequately encrypted your data, does your cloud storage provider need to sign a Business Associate Agreement (BAA)?"
The bottom line is that there is no crystal-clear answer to this question. The Department of Health and Human Services (HHS) hasn't specifically addressed this issue, so we are faced with the question of how to interpret the security rule. There are two basic interpretations: "no," and "yes." Both interpretations have some support, and if you proceed with one interpretation you should consider the countervailing position.
First, the basics: HIPAA Covered Entities (CEs) who work with vendors are required to have their vendors sign BAAs. This is required because it allows the federal government to enforce the provisions of HIPAA on these third-party vendors. The public policy at work is that CEs shouldn't be allowed to offload their legal responsibilities to a third-party that isn't subject to regulatory oversight. BAAs are required whenever a third-party vendor has access to PHI.
Here's where it gets complicated. PHI are identifiable data, but if the data are encrypted they are not identifiable. In such a case, why is a BAA necessary?
The interpretation against requiring a BAA for encrypted data finds some support in one of HIPAA's safe harbor provisions, which states that losses of encrypted data do not trigger a breach notification (the letter that CEs send out that apologetically admit to the disclosure of your protected health information). The reason why breach notifications are not required for encrypted data are that the data remain inaccessible if they are encrypted. The covered entity has essentially lost gibberish.
Thus, this interpretation goes, BAAs are also not required because the vendor does not have access to protected health information. That makes sense. However, it should be noted that this is a fairly permissive interpretation and HHS has declined to endorse this position.
The competing interpretation, which appears to be strongly supported by the official commentary on related regulations (especially the 2013 HITECH amendments to the HIPAA Privacy and Security Rules), is that BAAs are required even when the data are encrypted.
Support for this position includes:
- HHS has not made the criteria for breach notifications the same as the criteria for needing a BAA.
- The statutory exceptions for BAAs, such as those with incidental access (e.g., a janitor or electrician) or those who are mere "conduits," do not apply to cloud storage providers. HHS has indicated that a data storage company is not a conduit because of the "persistent nature" of its contact with the data. Thus, it is persistency, **and not the degree of access,** that HHS has specifically indicated warrants consideration for the purposes of BAAs.
- Commentary prior to the adoption of the security rule asked whether or not BAAs could be something that CEs could address, and thus render unnecessary. In other words, the question was asked, "if we as CEs take adequate security measures to ensure the protection of PHI, can we make BAAs unnecessary?" HHS specifically declined to make BAAs an "addressable" requirement.
- Besides the issue of protecting PHI, BAs have additional responsibilities. These responsibilities include accessibility, data integrity, etc. If encryption enabled vendors to escape BA status, HHS would have no jurisdiction. (From a risk management perspective, the execution of a BAA is something that many CEs do to "distribute" the risk.)
- The definition of BA isn't explicitly restricted to those who have access to PHI. The definition also includes those who perform "[a]ny other function or activity regulated by this subchapter." (See 45 CFR 160.103(1)(i)(B)) The amount of functions and activities that are regulated under HIPAA is huge.
I want to emphasize that I understand the argument that where vendors have absolutely no access to PHI because the data are encrypted, the vendor doesn't have encryption keys, etc.,, then HIPAA is (theoretically) a non-issue. It makes a lot of sense. However, we just don't know at this time if HHS agrees with that position and we have some strong evidence that casts this position as too narrow.
However, the ambiguity also applies to the other interpretation: we don't know if HHS agrees with the position that the storage of encrypted PHI (where the vendor has zero access to the PHI) still requires a BAA.
Hopefully this helps, or at least provides some things to consider.
And, finally, if anyone wants to dive into the weeds on this issue please click here for a very helpful paper by John Christiansen that describes the development of the regulatory framework on this issue.