What if a HIPAA covered entity (or business associate) uses a CSP to maintain ePHI without first executing a business associate agreement with that CSP? What if a HIPAA covered entity (or business associate) uses a CSP to maintain ePHI without first executing a business associate agreement with that CSP?
Issued by: Office for Civil Rights (OCR)
What if a HIPAA covered
entity (or business associate) uses a CSP to maintain ePHI without
first executing a business associate agreement with that CSP?
Answer:
If a covered entity (or business associate) uses a CSP to maintain
(e.g., to process or store) electronic protected health information
(ePHI) without entering into a BAA with the CSP, the covered entity (or
business associate) is in violation of the HIPAA Rules. 45 C.F.R
§§164.308(b)(1) and §164.502(e). OCR has entered into a resolution agreement and corrective action plan
with a covered entity that OCR determined stored ePHI of over 3,000
individuals on a cloud-based server without entering into a BAA with the
CSP.[1]
Further, a CSP that meets the definition of a business associate –
that is a CSP that creates, receives, maintains, or transmits PHI on
behalf of a covered entity or another business associate – must comply
with all applicable provisions of the HIPAA Rules, regardless of whether
it has executed a BAA with the entity using its services. See 78 Fed.
Reg. 5565, 5598 (January 25, 2013). OCR recognizes that there may,
however, be circumstances where a CSP may not have actual or
constructive knowledge that a covered entity or another business
associate is using its services to create, receive, maintain, or
transmit ePHI. The HIPAA Rules provide an affirmative defense in cases
where a CSP takes action to correct any non-compliance within 30 days
(or such additional period as OCR may determine appropriate based on the
nature and extent of the non-compliance) of the time that it knew or
should have known of the violation (e.g., at the point the CSP knows or
should have known that a covered entity or business associate customer
is maintaining ePHI in its cloud). 45 CFR 160.410. This affirmative
defense does not, however, apply in cases where the CSP was not aware of
the violation due to its own willful neglect.
If a CSP becomes aware that it is maintaining ePHI, it must come into
compliance with the HIPAA Rules, or securely return the ePHI to the
customer or, if agreed to by the customer, securely destroy the ePHI.
Once the CSP securely returns or destroys the ePHI (subject to
arrangement with the customer), it is no longer a business associate.
We recommend CSPs document these actions.
While a CSP maintains ePHI, the HIPAA Rules prohibit the CSP from
using or disclosing the data in a manner that is inconsistent with the
Rules.
| Mental Health Center Provides Access and Revises Policies and Procedures Covered Entity: Mental Health Center Issue: Access, Restrictions The complainant alleged that a mental health center (the "Center") refused to provide her with a copy of her medical record, including psychotherapy notes. OCR’s investigation revealed that the Center provided the complainant with an opportunity to review her medical record, including the psychotherapy notes, with her therapist, but the Center did not provide her with a copy of her records. The Privacy Rule requires covered entities to provide individuals with access to their medical records; however, the Privacy Rule exempts ...read more |
| May a covered entity dispose of protected health information in dumpsters accessible by the public? For example, depending on the circumstances, proper disposal methods may include (but are not limited to): Shredding or otherwise destroying PHI in paper records so that the PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed prior to it being placed in a dumpster or other trash receptacle.Maintaining PHI for disposal in a secure area and using a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI.In justifiable cases, based on the size and the ...read more |
| Thursday, November 10, 2022 Five Former Methodist Hospital Employees Charged with HIPAA Violations Memphis, TN – A federal grand jury has indicted five former Methodist Hospital Employees for conspiring with Roderick Harvey, 40, to unlawfully disclose patient information in violation of the Health Insurance Portability and Accountability Act of 1996, commonly known as “HIPAA.” United States Attorney Kevin G. Ritz announced the indictment today. HIPAA was enacted by Congress in 1996 to create national standards to protect sensitive patient information from being disclosed without a patient’s knowledge or consent. HIPAA’s provisions make it a crime to disclose patient information, ...read more |
| Entity Rescinds Improper Charges for Medical Record Copies to Reflect Reasonable, Cost-Based Fees Covered Entity: Private Practice Issue: Access A patient alleged that a covered entity failed to provide him access to his medical records. After OCR notified the entity of the allegation, the entity released the complainant’s medical records but also billed him $100.00 for a “records review fee” as well as an administrative fee. The Privacy Rule permits the imposition of a reasonable cost-based fee that includes only the cost of copying and postage and preparing an explanation or summary if agreed to by the individual. To ...read more |
|
October 2025
| Su | Mo | Tu | We | Th | Fr | Sa |
| | | 1 | 2 | 3 | 4 |
| 5 | 6 | 7 | 8 | 9 | 10 | 11 |
| 12 | 13 | 14 | 15 | 16 | 17 | 18 |
| 19 | 20 | 21 | 22 | 23 | 24 | 25 |
| 26 | 27 | 28 | 29 | 30 | 31 |
|
Blog Home
Newest Blog Entries
1/21/25 Understanding Business Associate Agreements
11/12/22 Modernizing Medicine Agrees to Pay $45 Million to Resolve Allegations of Accepting and Paying Illegal Kickbacks and Causing False Claims
11/12/22 Indian National Charged in $8 Million COVID-19 Relief Fraud Scheme
11/12/22 Former Hospital Employee Pleads Guilty To Criminal HIPPA Charges
11/12/22 Covered entities and those persons rendered accountable by general principles of corporate criminal liability may be prosecuted directly under 42 U.S.C. § 1320d-6
11/12/22 The Delaware Division of Developmental Disabilities Services Data Breach
11/12/22 OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA
11/12/22 HHS Issues Guidance on HIPAA and Audio-Only Telehealth
11/12/22 Five Former Methodist Hospital Employees Charged with HIPAA Violations
11/12/22 May a covered entity use or disclose protected health information for litigation?
11/12/22 When does the Privacy Rule allow covered entities to disclose protected health information to law enforcement officials?
Blog Archives
January 2025 (1)
November 2022 (54)
Blog Labels
PPP Fraud (1)
Telehealth (1)
BAA (4)
ePHI (2)
Covered Entity (40)
HIPAA Enforcement (3)
Data Breach (1)
EHR Fraud (1)
HIPAA (2)
|
