QUESTION: As a TPA for group well being plans, we’re contemplating contracting with a cloud service supplier to again up our shoppers’ digital protected well being info (ePHI). Do we want a HIPAA enterprise affiliate contract with the cloud service supplier?
ANSWER: A cloud service supplier (CSP) is taken into account a HIPAA enterprise affiliate when a coated entity, resembling a bunch well being plan, engages the CSP to create, obtain, preserve, or transmit ePHI (resembling to course of or retailer ePHI) on its behalf. Equally, when a enterprise affiliate, resembling a TPA, subcontracts with a CSP to create, obtain, preserve, or transmit ePHI on the TPA’s behalf, the CSP subcontractor is a enterprise affiliate. Due to this fact, you must have a enterprise affiliate subcontract with the CSP.
It’s vital to acknowledge {that a} enterprise affiliate relationship is established even when the CSP processes or shops solely encrypted ePHI and lacks a decryption key for the information. Missing a decryption key doesn’t exempt a CSP from enterprise affiliate standing and obligations below HIPAA, as a result of encryption protects the confidentiality of PHI however doesn’t essentially handle the PHI’s integrity or availability. Consequently, a enterprise affiliate and CSP subcontractor should enter right into a HIPAA-compliant enterprise affiliate contract even when the CSP shops solely encrypted ePHI. The CSP is each contractually responsible for complying with the enterprise affiliate contract’s phrases and straight responsible for compliance with the relevant necessities of HIPAA.
For instance, as a enterprise affiliate, the CSP retains accountability below the HIPAA safety rule for implementing cheap and acceptable controls to restrict entry to info programs that preserve buyer ePHI. Thus, the CSP should take into account and handle, as a part of its danger evaluation and danger administration course of, the dangers of a malicious actor having unauthorized entry to its system’s administrative instruments, which might impression system operations and impair the confidentiality, integrity, and availability of ePHI.
As well as, the CSP should use and disclose ePHI solely as permitted by its enterprise affiliate contract and the HIPAA privateness rule, or as in any other case required by regulation. CSPs usually present various providers relying on customers’ necessities, starting from mere information storage to finish computing infrastructure. When drafting a enterprise affiliate subcontract with a CSP, it is very important have a transparent understanding of the providers that the CSP will present, because the scope of providers will decide the suitable safety safeguards in addition to permissible makes use of and disclosures below the privateness rule.
For extra info, see EBIA’s HIPAA Portability, Privateness & Safety handbook at Sections XXIV.B (“What Is a Enterprise Affiliate?”) and XXX.B (“Core Safety Necessities: Administrative Safeguards”).
Contributing Editors: EBIA Employees.
