More and more organizations are using cloud providers for computer backup. Internet upload speeds have increased, and the technology of cloud providers to provide incremental backup has become more sophisticated. And, very importantly, using cloud backup provides the all-important off-site backup that will protect the organization in the event of theft, fire, flood or other disaster that affects its physical facilities.
The HIPAA Omnibus rule updates the definition of “business associate (BA)” – and the relevant portions of this definition state that a business associate is an entity that “creates, receives, maintains or transmits protected health information for a function or activity regulated by this subchapter, including . . . processing or administration . . .” Processing and administration are broad terms and this author’s interpretation is that on-line backup is included under one or both of these terms. A covered entity must place any business associate under a HIPAA Business Associate Agreement (BAA).
However, many cloud backup companies offer a different opinion and claim that they are not HIPAA Business Associates. Most likely, their legal departments persuade the company to adopt this public stance as a risk management strategy to minimize liability in the event of a breach of confidentiality. And as a further part of this strategy, they refuse to sign HIPAA Business Associate Agreements.
So – is a cloud backup company a business associate or not? The final answer may come from future HHS interpretation or some future court case. HHS has made it clear that it is the fact of the business relationship that establishes a HIPAA Business associate relationship, not the presence or absence of a HIPAA BAA.
To address the needs of HIPAA covered entities, many cloud companies instead offer the option to provide encrypted backup, and further to allow the end-user to create and hold the only encryption key. The data is encrypted before it leaves the user’s computer. Only encrypted data is stored with the cloud company, and they have no capability to decrypt it. [A word of caution – if you go this route, 1) don’t lose the key, and 2) keep an extra copy of it in a secure location off-site – remember, you are using the online backup to protect yourself from the building burning down!]
A HIPAA covered entity that takes advantage of this approach would appear to have a “Get Out of Jail Free” card, since the HIPAA rules also say that disclosing encrypted data does NOT constitute a breach. In the event that there was some enforcement action for the lack of a HIPAA BAA, the Covered Entity can cite this provision and claim that no breach has occured.
It is important to note that cloud backup companies frequently offer two ways to handle encryption. We have the method cited above, where the user is in sole possession of the encryption key. The second approach is that the cloud backup company manages the encryption key, and when called upon by you, provides that key to decrypt the data for you. Only the first method would offer the “Get Out of Jail Free” card.
So, if you choose to use a cloud backup company, without a HIPAA Business Associate Agreement, and choose to manage the encryption key yourself, you may technically be in violation of the HIPAA requirement to place business associates under contract. But you could claim that since it was encrypted, it’s not a violation.
This author predicts that you if you choose to go without your BAA, you may well prevail in the event of some HHS enforcement action. However, since there are cloud providers who will sign the BAA, our first recommendation is that you choose one of these companies and get the BAA.
