Data centers may provide space, cooling, power, physical wiring and connectivity to customers that store hardware in the centers. If this hardware is used to store protected health information (PHI) subject to federal Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules, data center operators may have HIPAA responsibilities.
HIPAA History Regarding Data Storage
HIPAA applies to "covered entities," "business associates" and "subcontractors." Covered entities include health plans, healthcare clearinghouses and most healthcare providers. Business associates include a number of different types of businesses that serve covered entities, as well as subcontractors that provide PHI-related services to business associates. Business associates conduct functions on behalf of a covered entity requiring the creation, receipt, maintenance or transmission of PHI. Entities that provide data transmission services involving PHI and that require access on a routine basis to such PHI are also business associates, raising a question as to whether HIPAA applies to data center operators.
Even though a data center may provide the same types of services to all of its customers, regardless of whether the customers are in the healthcare industry, HIPAA potentially applies to data centers serving customers that use the services for PHI-related purposes. The U.S. Department of Health and Human Services' Office for Civil Rights (OCR) enforces HIPAA privacy and security regulations. Over time, OCR's position on the applicability of HIPAA to PHI storage has changed.
In 2003, OCR provided a letter to Tindall Record Storage, a Texas company, stating "that a business associate agreement is not required between a covered entity and a document storage company performing functions on behalf of the covered entity, where any protected health information released to the storage company is transferred and maintained in closed and sealed containers, and the document storge company does not otherwise access protected health information."
Applying that reasoning to a data center operator providing co-location or other services where no access to PHI is needed, it would seem that those services would not create a business associate relationship. However, subsequent changes to HIPAA and other informal guidance likely change that analysis.
HITECH Act
The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 expanded the application of certain HIPAA requirements to business associates. For example, the HIPAA security rule provisions now apply to business associates in the same way that they apply to covered entities. Additionally, business associates are required by law to comply with applicable privacy provisions of their business associate agreements with covered entities.
OCR finalized regulations in 2013 implementing certain HITECH Act requirements. In its preamble to those regulations, OCR changed its position from the guidance it provided in 2003 by referring to a record storage company that holds boxes of paper records on behalf of a covered entity but does not know the names of individuals whose information is stored in those boxes as a "business associate."
In 2016, OCR issued informal guidance on its website indicating that cloud service providers (CSPs) are business associates. OCR noted that cloud computing can take different forms and may involve access to networks, servers and storage.
In a frequently asked question regarding CSPs, OCR indicated that a CSP is a business associate if it processes or stores electronic PHI (ePHI). This is the case even if the ePHI is encrypted and the CSP has no decryption key. OCR indicated that encryption, by itself, would not eliminate the need for the CSP or the covered entity to address other safeguards such as disaster planning and physical safeguards for the systems and servers.
The covered entity, rather than the CSP, could be responsible for certain compliance obligations such as adhering to HIPAA's authentication requirements if the CSP has no access to the content of the PHI. If the CSP has no way to address a required HIPAA compliance obligation, this should be addressed in the HIPAA business associate agreement between the parties.
HIPAA Obligations If a Data Center Is a Business Associate
If a data center meets HIPAA's definition of a business associate, it must implement an effective HIPAA compliance program. A business associate's HIPAA obligations include:
- assessing how PHI is stored and where it is maintained
- conducting and documenting an accurate and thorough risk analysis of the potential threats and vulnerabilities to electronic PHI and how those risks will be mitigated
- appointing or hiring a security official who is responsible for developing and implementing policies and procedures to enable the data center operator to comply with relevant HIPAA requirements
- training its workforce on the HIPAA policies and procedures relevant to their functions
- flowing down HIPAA business associate agreement requirements to subcontractors that have involvement with the maintenance of the PHI
Although data centers may have many physical and technical security measures in place, if those data centers will be serving HIPAA-covered entities or business associates, HIPAA will require the data center operator to comply with numerous requirements specific to these federal regulatory provisions.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
