What if a HIPAA covered entity (or business associate) uses a CSP to maintain ePHI without first executing a business associate agreement with that CSP? What if a HIPAA covered entity (or business associate) uses a CSP to maintain ePHI without first executing a business associate agreement with that CSP?
Issued by: Office for Civil Rights (OCR)
What if a HIPAA covered
entity (or business associate) uses a CSP to maintain ePHI without
first executing a business associate agreement with that CSP?
Answer:
If a covered entity (or business associate) uses a CSP to maintain
(e.g., to process or store) electronic protected health information
(ePHI) without entering into a BAA with the CSP, the covered entity (or
business associate) is in violation of the HIPAA Rules. 45 C.F.R
§§164.308(b)(1) and §164.502(e). OCR has entered into a resolution agreement and corrective action plan
with a covered entity that OCR determined stored ePHI of over 3,000
individuals on a cloud-based server without entering into a BAA with the
CSP.[1]
Further, a CSP that meets the definition of a business associate –
that is a CSP that creates, receives, maintains, or transmits PHI on
behalf of a covered entity or another business associate – must comply
with all applicable provisions of the HIPAA Rules, regardless of whether
it has executed a BAA with the entity using its services. See 78 Fed.
Reg. 5565, 5598 (January 25, 2013). OCR recognizes that there may,
however, be circumstances where a CSP may not have actual or
constructive knowledge that a covered entity or another business
associate is using its services to create, receive, maintain, or
transmit ePHI. The HIPAA Rules provide an affirmative defense in cases
where a CSP takes action to correct any non-compliance within 30 days
(or such additional period as OCR may determine appropriate based on the
nature and extent of the non-compliance) of the time that it knew or
should have known of the violation (e.g., at the point the CSP knows or
should have known that a covered entity or business associate customer
is maintaining ePHI in its cloud). 45 CFR 160.410. This affirmative
defense does not, however, apply in cases where the CSP was not aware of
the violation due to its own willful neglect.
If a CSP becomes aware that it is maintaining ePHI, it must come into
compliance with the HIPAA Rules, or securely return the ePHI to the
customer or, if agreed to by the customer, securely destroy the ePHI.
Once the CSP securely returns or destroys the ePHI (subject to
arrangement with the customer), it is no longer a business associate.
We recommend CSPs document these actions.
While a CSP maintains ePHI, the HIPAA Rules prohibit the CSP from
using or disclosing the data in a manner that is inconsistent with the
Rules.
| Enforcement Actions Ensure Patients Receive Timely Access to their Records, at a Reasonable Cost Today, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the resolution of three investigations concerning potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule's patient right of access provision. These cases are part of a collective effort, bringing the total 41 cases, to drive compliance on right of access under the law. “These three right of access actions send an important message to dental practices of all sizes that are covered by the HIPAA ...read more |
| Pharmacy Chain Institutes New Safeguards for PHI in Pseudoephedrine Log Books Covered Entity: Pharmacies Issue: Safeguards A grocery store based pharmacy chain maintained pseudoephedrine log books containing protected health information in a manner so that individual protected health information was visible to the public at the pharmacy counter. Initially, the pharmacy chain refused to acknowledge that the log books contained protected health information. OCR issued a written analysis and a demand for compliance. Among other corrective actions to resolve the specific issues in the case, OCR required that the pharmacy chain implement national policies and procedures to safeguard the ...read more |
| Can a covered entity use existing aspects of the HIPAA Privacy Rule to give individuals the right to decide whether sensitive information about them may be disclosed to or through a health information organization (HIO)? Yes. To the extent a covered entity is using a process either to obtain consent or act on an individual’s right to request restrictions under the Privacy Rule as a method for effectuating individual choice, policies can be developed for obtaining consent or honoring restrictions on a granular level, based on the type of information involved. For example, specific consent and restriction policies could ...read more |
| Large Health System Restricts Provider's Use of Patient Records Covered Entity: Multi-Hospital Healthcare Provider Issue: Impermissible Use A nurse practitioner who has privileges at a multi-hospital health care system and who is part of the system’s organized health care arrangement impermissibly accessed the medical records of her ex-husband. In order to resolve this matter to OCR’s satisfaction and to prevent a recurrence, the covered entity: terminated the nurse practitioner’s access to its electronic records system; reported the nurse practitioner’s conduct to the appropriate licensing authority; and, provided the nurse practitioner with remedial Privacy Rule training. ...read more |
|
June 2026
| Su | Mo | Tu | We | Th | Fr | Sa |
| 1 | 2 | 3 | 4 | 5 | 6 |
| 7 | 8 | 9 | 10 | 11 | 12 | 13 |
| 14 | 15 | 16 | 17 | 18 | 19 | 20 |
| 21 | 22 | 23 | 24 | 25 | 26 | 27 |
| 28 | 29 | 30 |
|
Blog Home
Newest Blog Entries
1/21/25 Understanding Business Associate Agreements
11/12/22 Modernizing Medicine Agrees to Pay $45 Million to Resolve Allegations of Accepting and Paying Illegal Kickbacks and Causing False Claims
11/12/22 Indian National Charged in $8 Million COVID-19 Relief Fraud Scheme
11/12/22 Former Hospital Employee Pleads Guilty To Criminal HIPPA Charges
11/12/22 Covered entities and those persons rendered accountable by general principles of corporate criminal liability may be prosecuted directly under 42 U.S.C. § 1320d-6
11/12/22 The Delaware Division of Developmental Disabilities Services Data Breach
11/12/22 OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA
11/12/22 HHS Issues Guidance on HIPAA and Audio-Only Telehealth
11/12/22 Five Former Methodist Hospital Employees Charged with HIPAA Violations
11/12/22 May a covered entity use or disclose protected health information for litigation?
11/12/22 When does the Privacy Rule allow covered entities to disclose protected health information to law enforcement officials?
Blog Archives
January 2025 (1)
November 2022 (54)
Blog Labels
ePHI (2)
Telehealth (1)
HIPAA Enforcement (3)
PPP Fraud (1)
Data Breach (1)
HIPAA (2)
Covered Entity (40)
BAA (4)
EHR Fraud (1)
|
