Do the HIPAA Rules allow a covered entity or business associate to use a CSP that stores ePHI on servers outside of the United States? Do the HIPAA Rules allow a covered entity or business associate to use a CSP that stores ePHI on servers outside of the United States?
Issued by: Office for Civil Rights (OCR)
Do the HIPAA Rules
allow a covered entity or business associate to use a CSP that stores
ePHI on servers outside of the United States?
Answer:
Yes, provided the covered entity (or business associate) enters into a
business associate agreement (BAA) with the CSP and otherwise complies
with the applicable requirements of the HIPAA Rules. However, while the
HIPAA Rules do not include requirements specific to protection of
electronic protected health information (ePHI) processed or stored by a
CSP or any other business associate outside of the United States, OCR
notes that the risks to such ePHI may vary greatly depending on its
geographic location. In particular, outsourcing storage or other
services for ePHI overseas may increase the risks and vulnerabilities to
the information or present special considerations with respect to
enforceability of privacy and security protections over the data.
Covered entities (and business associates, including the CSP) should
take these risks into account when conducting the risk analysis and risk
management required by the Security Rule. See 45 CFR §§
164.308(a)(1)(ii)(A) and (a)(1)(ii)(B). For example, if ePHI is
maintained in a country where there are documented increased attempts at
hacking or other malware attacks, such risks should be considered, and
entities must implement reasonable and appropriate technical safeguards
to address such threats.
| If a CSP stores only encrypted ePHI and does not have a decryption key, is it a HIPAA business associate? Answer: Yes, because the CSP receives and maintains (e.g., to process and/or store) electronic protected health information (ePHI) for a covered entity or another business associate. Lacking an encryption key for the encrypted data it receives and maintains does not exempt a CSP from business associate status and associated obligations under the HIPAA Rules. An entity that maintains ePHI on behalf of a covered entity (or another business associate) is a business associate, even if the entity cannot actually ...read more |
| Radiologist Revises Process for Workers Compensation Disclosures Covered Entity: Health Care Provider Issue: Impermissible Uses and Disclosures A radiology practice that interpreted a hospital patient’s imaging tests submitted a worker’s compensation claim to the patient’s employer. The claim included the patient’s test results. However, the patient was not covered by worker’s compensation and had not identified worker’s compensation as responsible for payment. OCR’s investigation revealed that the radiology practice had relied upon incorrect billing information from the treating hospital in submitting the claim. Among other corrective actions to resolve the specific issues in the case, the practice apologized to ...read more |
| Can a covered entity use existing aspects of the HIPAA Privacy Rule to give individuals the right to decide whether sensitive information about them may be disclosed to or through a health information organization (HIO)? Yes. To the extent a covered entity is using a process either to obtain consent or act on an individual’s right to request restrictions under the Privacy Rule as a method for effectuating individual choice, policies can be developed for obtaining consent or honoring restrictions on a granular level, based on the type of information involved. For example, specific consent and restriction policies could ...read more |
| Health Sciences Center Revises Process to Prevent Unauthorized Disclosures to Employers Covered Entity: General Hospitals Issue: Impermissible Uses and Disclosures; Authorizations A state health sciences center disclosed protected health information to a complainant's employer without authorization. Among other corrective actions to resolve the specific issues in the case, including mitigation of harm to the complainant, OCR required the Center to revise its procedures regarding patient authorization prior to release of protected health information to an employer. All staff was trained on the revised procedures. ...read more |
|
December 2024
| Su | Mo | Tu | We | Th | Fr | Sa |
| 1 | 2 | 3 | 4 | 5 | 6 | 7 |
| 8 | 9 | 10 | 11 | 12 | 13 | 14 |
| 15 | 16 | 17 | 18 | 19 | 20 | 21 |
| 22 | 23 | 24 | 25 | 26 | 27 | 28 |
| 29 | 30 | 31 |
|
Blog Home
Newest Blog Entries
11/12/22 Modernizing Medicine Agrees to Pay $45 Million to Resolve Allegations of Accepting and Paying Illegal Kickbacks and Causing False Claims
11/12/22 Indian National Charged in $8 Million COVID-19 Relief Fraud Scheme
11/12/22 Former Hospital Employee Pleads Guilty To Criminal HIPPA Charges
11/12/22 Covered entities and those persons rendered accountable by general principles of corporate criminal liability may be prosecuted directly under 42 U.S.C. § 1320d-6
11/12/22 The Delaware Division of Developmental Disabilities Services Data Breach
11/12/22 OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA
11/12/22 HHS Issues Guidance on HIPAA and Audio-Only Telehealth
11/12/22 Five Former Methodist Hospital Employees Charged with HIPAA Violations
11/12/22 May a covered entity use or disclose protected health information for litigation?
11/12/22 When does the Privacy Rule allow covered entities to disclose protected health information to law enforcement officials?
11/12/22 Must a covered entity inform individuals in advance of any fees that may be charged when the individuals request a copy of their PHI?
Blog Archives
November 2022 (54)
Blog Labels
ePHI (2)
Data Breach (1)
EHR Fraud (1)
BAA (3)
HIPAA (2)
HIPAA Enforcement (3)
Covered Entity (40)
Telehealth (1)
PPP Fraud (1)
|
