What if a HIPAA covered entity (or business associate) uses a CSP to maintain ePHI without first executing a business associate agreement with that CSP? What if a HIPAA covered entity (or business associate) uses a CSP to maintain ePHI without first executing a business associate agreement with that CSP?
Issued by: Office for Civil Rights (OCR)
What if a HIPAA covered
entity (or business associate) uses a CSP to maintain ePHI without
first executing a business associate agreement with that CSP?
Answer:
If a covered entity (or business associate) uses a CSP to maintain
(e.g., to process or store) electronic protected health information
(ePHI) without entering into a BAA with the CSP, the covered entity (or
business associate) is in violation of the HIPAA Rules. 45 C.F.R
§§164.308(b)(1) and §164.502(e). OCR has entered into a resolution agreement and corrective action plan
with a covered entity that OCR determined stored ePHI of over 3,000
individuals on a cloud-based server without entering into a BAA with the
CSP.[1]
Further, a CSP that meets the definition of a business associate –
that is a CSP that creates, receives, maintains, or transmits PHI on
behalf of a covered entity or another business associate – must comply
with all applicable provisions of the HIPAA Rules, regardless of whether
it has executed a BAA with the entity using its services. See 78 Fed.
Reg. 5565, 5598 (January 25, 2013). OCR recognizes that there may,
however, be circumstances where a CSP may not have actual or
constructive knowledge that a covered entity or another business
associate is using its services to create, receive, maintain, or
transmit ePHI. The HIPAA Rules provide an affirmative defense in cases
where a CSP takes action to correct any non-compliance within 30 days
(or such additional period as OCR may determine appropriate based on the
nature and extent of the non-compliance) of the time that it knew or
should have known of the violation (e.g., at the point the CSP knows or
should have known that a covered entity or business associate customer
is maintaining ePHI in its cloud). 45 CFR 160.410. This affirmative
defense does not, however, apply in cases where the CSP was not aware of
the violation due to its own willful neglect.
If a CSP becomes aware that it is maintaining ePHI, it must come into
compliance with the HIPAA Rules, or securely return the ePHI to the
customer or, if agreed to by the customer, securely destroy the ePHI.
Once the CSP securely returns or destroys the ePHI (subject to
arrangement with the customer), it is no longer a business associate.
We recommend CSPs document these actions.
While a CSP maintains ePHI, the HIPAA Rules prohibit the CSP from
using or disclosing the data in a manner that is inconsistent with the
Rules.
| DOVER (Oct. 21, 2022) – The Delaware Division of Developmental Disabilities Services is announcing today that it is mailing letters to service recipients and legal guardians who were impacted by a recent data breach incident and is providing information to the public regarding the incident. On August 23, 2022, staff within the Division of Developmental Disabilities Services (DDDS) discovered that in the process of creating new user accounts in the division’s client database, DDDS staff inadvertently provided access to individual records of 7074 individuals. As a result of these actions, 159 new users had potential access to service recipients’ ...read more |
| Pharmacy Chain Enters into Business Associate Agreement with Law Firm Covered Entity: Pharmacy Chain Issue: Impermissible Uses and Disclosures; Business Associates A complaint alleged that a law firm working on behalf of a pharmacy chain in an administrative proceeding impermissibly disclosed the PHI of a customer of the pharmacy chain. OCR investigated the allegation and found no evidence that the law firm had impermissibly disclosed the customer’s PHI. However, the investigation revealed that the pharmacy chain and the law firm had not entered into a Business Associate Agreement, as required by the Privacy Rule to ensure that PHI is ...read more |
| SCOPE OF CRIMINAL ENFORCEMENT UNDER 42 U.S.C. § 1320d-6 Covered entities and those persons rendered accountable by general principles of corporate criminal liability may be prosecuted directly under 42 U.S.C. § 1320d-6, and the knowingly element of the offense set forth in that provision requires only proof of knowledge of the facts that constitute the offense. MEMORANDUM OPINION FOR THE GENERAL COUNSEL DEPARTMENT OF HEALTH AND HUMAN SERVICES AND THE SENIOR COUNSEL TO THE DEPUTY ATTORNEY GENERAL You have asked jointly for our opinion concerning the scope of 42 U.S.C. § 1320d-6 (2000), the criminal enforcement provision of the ...read more |
| Health Plan Corrects Computer Flaw that Caused Mailing of EOBs to Wrong Persons Covered Entity: Health Plans Issue: Safeguards A national health maintenance organization sent explanation of benefits (EOB) by mail to a complainant's unauthorized family member. OCR's investigation determined that a flaw in the health plan's computer system put the protected health information of approximately 2,000 families at risk of disclosure in violation of the Rule. Among the corrective actions required to resolve this case, OCR required the insurer to correct the flaw in its computer system, review all transactions for a six month period and correct all ...read more |
|
November 2025
| Su | Mo | Tu | We | Th | Fr | Sa |
| | | | | | 1 |
| 2 | 3 | 4 | 5 | 6 | 7 | 8 |
| 9 | 10 | 11 | 12 | 13 | 14 | 15 |
| 16 | 17 | 18 | 19 | 20 | 21 | 22 |
| 23 | 24 | 25 | 26 | 27 | 28 | 29 |
| 30 |
Blog Home
Newest Blog Entries
1/21/25 Understanding Business Associate Agreements
11/12/22 Modernizing Medicine Agrees to Pay $45 Million to Resolve Allegations of Accepting and Paying Illegal Kickbacks and Causing False Claims
11/12/22 Indian National Charged in $8 Million COVID-19 Relief Fraud Scheme
11/12/22 Former Hospital Employee Pleads Guilty To Criminal HIPPA Charges
11/12/22 Covered entities and those persons rendered accountable by general principles of corporate criminal liability may be prosecuted directly under 42 U.S.C. § 1320d-6
11/12/22 The Delaware Division of Developmental Disabilities Services Data Breach
11/12/22 OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA
11/12/22 HHS Issues Guidance on HIPAA and Audio-Only Telehealth
11/12/22 Five Former Methodist Hospital Employees Charged with HIPAA Violations
11/12/22 May a covered entity use or disclose protected health information for litigation?
11/12/22 When does the Privacy Rule allow covered entities to disclose protected health information to law enforcement officials?
Blog Archives
November 2022 (54)
January 2025 (1)
Blog Labels
ePHI (2)
HIPAA (2)
Telehealth (1)
HIPAA Enforcement (3)
EHR Fraud (1)
Data Breach (1)
Covered Entity (40)
BAA (4)
PPP Fraud (1)
|
