| If a CSP stores only encrypted ePHI and does not have a decryption key, is it a HIPAA business associate? |
| November 2 2022
|
| Posted in: ePHI |
If a CSP stores only encrypted ePHI and does not have a decryption key, is it a HIPAA business associate? Answer: Yes, because the CSP receives and maintains (e.g., to process and/or store) electronic protected health information (ePHI) for a covered entity or another business associate. Lacking an encryption key for the encrypted data it receives and maintains does not exempt a CSP from business associate status and associated obligations under the HIPAA Rules. An entity that maintains ePHI on behalf of a covered entity (or another business associate) is a business associate, even if the entity cannot actually ...read more
|
| Label /
Permalink
|
|
|
|
| Do the HIPAA Rules allow a covered entity or business associate to use a CSP that stores ePHI on servers outside of the United States? |
| November 2 2022
|
| Posted in: ePHI |
Issued by: Office for Civil Rights (OCR) Do the HIPAA Rules allow a covered entity or business associate to use a CSP that stores ePHI on servers outside of the United States? Answer: Yes, provided the covered entity (or business associate) enters into a business associate agreement (BAA) with the CSP and otherwise complies with the applicable requirements of the HIPAA Rules. However, while the HIPAA Rules do not include requirements specific to protection of electronic protected health information (ePHI) processed or stored by a CSP or any other business associate outside of the United States, OCR notes that ...read more
|
| Label /
Permalink
|
|
|
| |
