I have negotiated hundreds of SaaS agreements for dozens of software companies and I always hated when the company on the other side was a healthcare provider. Invariably, they would bring up Protected Health Information (PHI) and the Health Insurance Portability and Accountability Act (HIPAA) and want us to sign a Business Associate Agreement (BAA). I am an IP lawyer, not a healthcare lawyer. My client was a software company, not a medical claim processor. As explained below, rather than cursing under my breath, I should have thanked them for insisting that we sign a BAA.
Cloud Services Providers (CSPs), even those that merely provide data storage, need to be aware of the HIPAA requirements applicable to them. A CSP storing PHI for a covered entity (e.g., a health care provider) is a business associate of that covered entity and required to comply with HIPAA.
In general, a business associate is anyone that creates, receives, maintains (i.e., stores), or transmits PHI for a covered entity. According to recent guidance from the HHS, this would include a CSP that only stores encrypted PHI and does not have a decryption key. Under HIPAA, an entity that stores PHI is a business associate, even if the entity cannot actually view the PHI.
If a covered entity (or business associate) uses a CSP to maintain PHI without entering into a BAA with the CSP, the covered entity (and/or business associate) is in violation of HIPAA. To complicate matters further, this rule also applies to third-party subcontractors. Many SaaS providers use third party hosting providers, such as Rackspace or Amazon Web Services, to host their software. In such situations, there would need to be two BAAs: (i) one between the SaaS provider and the covered entity; and (ii) one between the SaaS provider and the hosting company. The hosting service provider would need to execute a BAA even if the hosting provider was unaware of and could not access the encrypted PHI stored on its servers. For those of you using AWS, Amazon has an automated process for entering into a BAA with them.
A few other words of caution: SaaS providers need to ensure their Service Level Agreements (e.g., system availability) are consistent with the BAA and HIPAA. In addition to its contractual obligations to the covered entity, the CSP, as a business associate, has other regulatory obligations and can be directly liable under HIPAA for violations.
And now for the good news: HIPAA provides an affirmative defense to the unsuspecting business associate that failed to get the necessary BAAs in place. That defense is available to a CSP that doesn’t have actual or constructive knowledge that a covered entity or business associate is using its services to create, receive, maintain, or transmit PHI, as long as the CSP takes steps to correct the problem within 30 days from when the CSP knew or should have known about the PHI.
So, as you can see, when PHI is involved, tread with caution. There is more information available on the HHS website.
Hat tip to my partner Cheryl Camin Murray for her help in navigating these HIPAA-compliance pitfalls.