What if a HIPAA covered entity (or business associate) uses a CSP to maintain ePHI without first executing a business associate agreement with that CSP? What if a HIPAA covered entity (or business associate) uses a CSP to maintain ePHI without first executing a business associate agreement with that CSP?
Issued by: Office for Civil Rights (OCR)
What if a HIPAA covered
entity (or business associate) uses a CSP to maintain ePHI without
first executing a business associate agreement with that CSP?
Answer:
If a covered entity (or business associate) uses a CSP to maintain
(e.g., to process or store) electronic protected health information
(ePHI) without entering into a BAA with the CSP, the covered entity (or
business associate) is in violation of the HIPAA Rules. 45 C.F.R
§§164.308(b)(1) and §164.502(e). OCR has entered into a resolution agreement and corrective action plan
with a covered entity that OCR determined stored ePHI of over 3,000
individuals on a cloud-based server without entering into a BAA with the
CSP.[1]
Further, a CSP that meets the definition of a business associate –
that is a CSP that creates, receives, maintains, or transmits PHI on
behalf of a covered entity or another business associate – must comply
with all applicable provisions of the HIPAA Rules, regardless of whether
it has executed a BAA with the entity using its services. See 78 Fed.
Reg. 5565, 5598 (January 25, 2013). OCR recognizes that there may,
however, be circumstances where a CSP may not have actual or
constructive knowledge that a covered entity or another business
associate is using its services to create, receive, maintain, or
transmit ePHI. The HIPAA Rules provide an affirmative defense in cases
where a CSP takes action to correct any non-compliance within 30 days
(or such additional period as OCR may determine appropriate based on the
nature and extent of the non-compliance) of the time that it knew or
should have known of the violation (e.g., at the point the CSP knows or
should have known that a covered entity or business associate customer
is maintaining ePHI in its cloud). 45 CFR 160.410. This affirmative
defense does not, however, apply in cases where the CSP was not aware of
the violation due to its own willful neglect.
If a CSP becomes aware that it is maintaining ePHI, it must come into
compliance with the HIPAA Rules, or securely return the ePHI to the
customer or, if agreed to by the customer, securely destroy the ePHI.
Once the CSP securely returns or destroys the ePHI (subject to
arrangement with the customer), it is no longer a business associate.
We recommend CSPs document these actions.
While a CSP maintains ePHI, the HIPAA Rules prohibit the CSP from
using or disclosing the data in a manner that is inconsistent with the
Rules.
| TYLER, Texas — U.S. Attorney John M. Bales announced today that a former employee of an East Texas hospital has pleaded guilty to criminal HIPAA charges in the Eastern District of Texas. Joshua Hippler, 30, formerly of Longview, Texas, was indicted on March 26, 2014, on charges of Wrongful Disclosure of Individually Identifiable Health Information. Hippler pleaded guilty on August 28, 2014 during a hearing before United States Magistrate Judge John D. Love. The indictment alleged that from December 1, 2012, through January 14, 2013, Hippler, who was then an employee of a covered entity under HIPAA, obtained protected ...read more |
| Hospital Issues Guidelines Regarding Disclosures to Avert Threats to Health or Safety Covered Entity: General Hospital Issue: Safeguards; Impermissible Uses and Disclosures; Disclosures to Avert a Serious Threat to Health or Safety After treating a patient injured in a rather unusual sporting accident, the hospital released to the local media, without the patient’s authorization, copies of the patient’s skull x-ray as well as a description of the complainant’s medical condition. The local newspaper then featured on its front page the individual’s x-ray and an article that included the date of the accident, the location of the accident, the patient’s ...read more |
| Thursday, November 10, 2022 Five Former Methodist Hospital Employees Charged with HIPAA Violations Memphis, TN – A federal grand jury has indicted five former Methodist Hospital Employees for conspiring with Roderick Harvey, 40, to unlawfully disclose patient information in violation of the Health Insurance Portability and Accountability Act of 1996, commonly known as “HIPAA.” United States Attorney Kevin G. Ritz announced the indictment today. HIPAA was enacted by Congress in 1996 to create national standards to protect sensitive patient information from being disclosed without a patient’s knowledge or consent. HIPAA’s provisions make it a crime to disclose patient information, ...read more |
| May a covered entity dispose of protected health information in dumpsters accessible by the public? For example, depending on the circumstances, proper disposal methods may include (but are not limited to): Shredding or otherwise destroying PHI in paper records so that the PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed prior to it being placed in a dumpster or other trash receptacle.Maintaining PHI for disposal in a secure area and using a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI.In justifiable cases, based on the size and the ...read more |
|
December 2024
| Su | Mo | Tu | We | Th | Fr | Sa |
| 1 | 2 | 3 | 4 | 5 | 6 | 7 |
| 8 | 9 | 10 | 11 | 12 | 13 | 14 |
| 15 | 16 | 17 | 18 | 19 | 20 | 21 |
| 22 | 23 | 24 | 25 | 26 | 27 | 28 |
| 29 | 30 | 31 |
|
Blog Home
Newest Blog Entries
11/12/22 Modernizing Medicine Agrees to Pay $45 Million to Resolve Allegations of Accepting and Paying Illegal Kickbacks and Causing False Claims
11/12/22 Indian National Charged in $8 Million COVID-19 Relief Fraud Scheme
11/12/22 Former Hospital Employee Pleads Guilty To Criminal HIPPA Charges
11/12/22 Covered entities and those persons rendered accountable by general principles of corporate criminal liability may be prosecuted directly under 42 U.S.C. § 1320d-6
11/12/22 The Delaware Division of Developmental Disabilities Services Data Breach
11/12/22 OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA
11/12/22 HHS Issues Guidance on HIPAA and Audio-Only Telehealth
11/12/22 Five Former Methodist Hospital Employees Charged with HIPAA Violations
11/12/22 May a covered entity use or disclose protected health information for litigation?
11/12/22 When does the Privacy Rule allow covered entities to disclose protected health information to law enforcement officials?
11/12/22 Must a covered entity inform individuals in advance of any fees that may be charged when the individuals request a copy of their PHI?
Blog Archives
November 2022 (54)
Blog Labels
PPP Fraud (1)
EHR Fraud (1)
HIPAA (2)
Data Breach (1)
BAA (3)
Covered Entity (40)
HIPAA Enforcement (3)
Telehealth (1)
ePHI (2)
|
