Changes to HIPAA Rules Impose New Liability on Cloud Service Providers


The Department of Health and Human Services (“HHS”) has recently adopted new regulations imposing greater liability on health providers and those companies with whom they subcontract for patient data breaches.  These rules modify the Health Insurance Portability and Accountability Act (“HIPAA”) Enforcement Rules by extending direct criminal and civil liability for data breaches to “business associates” of covered entities (health care providers, health plans, etc…) that receive patient information.  As a result, covered entities and business associates of those entities will face the same penalties for data breaches.

The new rules also specify that certain subcontractors of covered entities may be included in its definition of “business associate,” and may thus become liable for patient data breaches.  According to HHS, a business associate may include a “subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.”  This definition includes data service providers, such as cloud service providers, if they maintain protected health information on behalf of a covered entity.  HHS notes that this is true regardless of whether the data service provider actually views the health information, and stipulates that “opportunity to access” is sufficient for liability in a breach.  Further, data service providers that maintain patient data on behalf of a covered entity may be distinguished from so called “conduits.”  Under the “conduit exception,” service providers will not be liable for data breaches where access is limited to transmission services “including…temporary storage of…data incident to… transmission.”  Practically, this “maintenance/conduit” distinction protects underlying internet service providers from liability under the new rules while directly imposing liability on providers that store information, such as cloud service providers.

To learn more about Marashlian & Donahue’s privacy practice, please visit our website.

ATTORNEY ADVERTISING DISCLAIMER: This information may be considered advertising in some jurisdictions under the applicable law and ethical rules. The determination of the need for legal services and the choice of a lawyer are extremely important decisions and should not be based solely upon advertisements or self-proclaimed expertise. No representation is made that the quality of the legal services to be performed is greater than the quality of legal services performed by other lawyers

Sign Up To Receive Our
Advisories and Compliance Alerts

Sign up for our email list to receive notifications regarding new advisories and news