All CSPs that are business associates must comply with the applicable standards and implementation specifications of the Security Rule with respect to ePHI. However, in cases where a CSP is providing only no-view services to a covered entity (or business associate) customer, certain Security Rule requirements that apply to the ePHI maintained by the CSP may be satisfied for both parties through the actions of one of the parties. In particular, where only the customer controls who is able to view the ePHI maintained by the CSP, certain access controls, such as authentication or unique user identification, may be the responsibility of the customer, while others, such as encryption, may be the responsibility of the CSP business associate. Which access controls are to be implemented by the customer and which are to be implemented by the CSP may depend on the respective security risk management plans of the parties as well as the terms of the BAA. For example, if a customer implements its own reasonable and appropriate user authentication controls and agrees that the CSP providing no-view services need not implement additional procedures to authenticate (verify the identity of) a person or entity seeking access to ePHI, these Security Rule access control responsibilities would be met for both parties by the action of the customer.
However, as a business associate, the CSP is still responsible under the Security Rule for implementing other reasonable and appropriate controls to limit access to information systems that maintain customer ePHI. For example, even when the parties have agreed that the customer is responsible for authenticating access to ePHI, the CSP may still be required to implement appropriate internal controls to assure only authorized access to the administrative tools that manage the resources (e.g., storage, memory, network interfaces, CPUs) critical to the operation of its information systems. For example, a CSP that is a business associate needs to consider and address, as part of its risk analysis and risk management process, the risks of a malicious actor having unauthorized access to its system’s administrative tools, which could impact system operations and impact the confidentiality, integrity and availability of the customer’s ePHI. CSPs should also consider the risks of using unpatched or obsolete administrative tools. The CSP and the customer should each confirm in writing, in either the BAA or other documents, how each party will address the Security Rule requirements.
Note that where the contractual agreements between a CSP and customer provide that the customer will control and implement certain security features of the cloud service consistent with the Security Rule, and the customer fails to do so, OCR will consider this factor as important and relevant during any investigation into compliance of either the customer or the CSP. A CSP is not responsible for the compliance failures that are attributable solely to the actions or inactions of the customer, as determined by the facts and circumstances of the particular case.
