We receive all types of HIPAA questions from our members. Answers to such questions are not all that easy to identify. Anyway, we present answers to several of these below.

(Q) I have heard that HIPAA does not allow you to have a Business Associate relationship with a vendor overseas. Is that correct?

(A) On first blush, it would seem that one might be foreclosed from storing data on an overseas cloud server, as US authorities would have limited to no jurisdiction over the overseas entity. But, HHS clarifies otherwise. It’s cool.

Do the HIPAA Rules allow a covered entity or business associate to use a CSP that stores ePHI on servers outside of the United States?

Answer:

Yes, provided the covered entity (or business associate) enters into a business associate agreement (BAA) with the CSP and otherwise complies with the applicable requirements of the HIPAA Rules. However, while the HIPAA Rules do not include requirements specific to the protection of electronic protected health information (ePHI) processed or stored by a CSP or any other business associate outside of the United States, OCR notes that the risks to such ePHI may vary greatly depending on its geographic location. In particular, outsourcing storage or other services for ePHI overseas may increase the risks and vulnerabilities to the information or present special considerations with respect to the enforceability of privacy and security protections over the data.

(Q) Can I store protected health information (PHI) on my personal Google Drive account?

(A) Generally, no. If you are storing PHI on Google Drive, you will need to have a Business Associate Agreement with Google. And, yes, Google does provide such agreements for Google Apps for Business, Education, or Government accounts. These are paid accounts. You have to shell out checks to Google for the document. Meaning, you have to have a paid account.

Most personal Google accounts are free, and they do not come with Business Associate Agreements.

BTW, if you encrypt a document prior to uploading it to your personal Google account, you should not need a Business Associate Agreement. Why? Because you rendered the document secure before uploading it to the cloud. Meaning, the document is secure anywhere it finds itself.

(Q) I hear about HIPAA authorization. I also hear about HIPAA consent. Aren’t they the same thing?

(A) Well, they are not precisely the same thing.

Authorization is what you HAVE to secure from a patient before disclosing protected health information unless there’s a named exception to disclosure.

Consent is something you are allowed to obtain from a patient before disclosing protected health information for a use that requires no such authorization.

For example, you must obtain a patient’s prior authorization to send protected health information to their designated attorney. Before sending the records, you want to confirm the patient has signed the authorization. And send only the records identified by that authorization.

In contrast, the Privacy Rule permits a covered entity but does not require it, to voluntarily obtain patient consent for disclosures of protected health information related to treatment, payment, and healthcare operations. As an example, if a patient asks you verbally to submit an insurance form so you can get paid, in theory, you do not need their written authorization. That’s an exception. But, you are allowed to have processes in place to obtain their “consent.”

(Q) Can an individual revoke their authorization?

(A) Yes. Patients can revoke their authorization at any time. The revocation must be in writing. It is effective when the covered entity receives the written request.

The Privacy Rule requires that the Authorization must clearly state the individual’s right to revoke, and the process for revocation must either be set forth clearly on the Authorization itself, or if the covered entity creates the Authorization, and its Notice of Privacy Practices contains a clear description of the revocation process, the Authorization can refer to the Notice of Privacy Practices. Authorization forms created by or submitted through a third party should not imply that revocation is effective when the third party receives it since the revocation is not effective until a covered entity that had previously been authorized to make the disclosure receives it.

If a patient has given you authorization to post before-and-after photos on your website, and later they demand you take them down, just do it. It is their right to make that demand. Obviously, once protected information has been released into the internet ether, it may be impossible to “protect” that information down the road. You can only do what you can do.

(Q) If a vendor is storing electronic medical records and the subscription terminates, does that vendor have to maintain the records, give them to the provider, or something else?

(A) Here, the vendor is a Business Associate. The Dept of Health and Human Services posed the question and answer as follows:

Do the HIPAA Rules require a Cloud Service Provider (CSP) to maintain ePHI for some period of time beyond when it has finished providing services to a covered entity or business associate?

Answer:

No, the HIPAA Rules generally do not require a business associate to maintain electronic protected health information (ePHI) beyond the time it provides services to a covered entity or business associate.  The Privacy Rule provides that a business associate agreement (BAA) must require a business associate to return or destroy all PHI at the termination of the BAA where feasible.  45 CFR  § 164.504(e)(2)(J). 

If such return or destruction is not feasible, the BAA must extend the privacy and security protections of the BAA to the ePHI and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible.  For example, return or destruction would be considered ‘‘infeasible’’ if other law requires the business associate CSP to retain ePHI for a period of time beyond the termination of the business associate contract.

And there may be state laws about retaining medical records.  

OK, that’s all for today. What do you think?

Medical Justice provides free consultations to doctors facing medico-legal obstacles. We have solutions for doctor-patient conflicts, unwarranted demands for refunds, online defamation (patient review mischief), meritless litigation, and a gazillion other issues. If you are navigating a medico-legal obstacle, visit our booking page to schedule a free consultation – or use the tool shared below.

Jeffrey Segal, MD, JD

Chief Executive Officer and Founder

Dr. Jeffrey Segal, Chief Executive Officer and Founder of Medical Justice, is a board-certified neurosurgeon. Dr. Segal is a Fellow of the American College of Surgeons; the American College of Legal Medicine; and the American Association of Neurological Surgeons. He is also a member of the North American Spine Society. In the process of conceiving, funding, developing, and growing Medical Justice, Dr. Segal has established himself as one of the country’s leading authorities on medical malpractice issues, counterclaims, and internet-based assaults on reputation.

Dr. Segal was a practicing neurosurgeon for approximately ten years, during which time he also played an active role as a participant on various state-sanctioned medical review panels designed to decrease the incidence of meritless medical malpractice cases.

Dr. Segal holds a M.D. from Baylor College of Medicine, where he also completed a neurosurgical residency. Dr. Segal served as a Spinal Surgery Fellow at The University of South Florida Medical School. He is a member of Phi Beta Kappa as well as the AOA Medical Honor Society. Dr. Segal received his B.A. from the University of Texas and graduated with a J.D. from Concord Law School with highest honors.

In 2000, he co-founded and served as CEO of DarPharma, Inc, a biotechnology company in Chapel Hill, NC, focused on the discovery and development of first-of-class pharmaceuticals for neuropsychiatric disorders.

Dr. Segal is also a partner at Byrd Adatto, a national business and health care law firm. Byrd Adatto was selected as a Best Law Firm in the 2023 edition of the “Best Law Firms” list by U.S. News – Best Lawyers. With over 50 combined years of experience in serving doctors, dentists, and other providers, Byrd Adatto has a national pedigree to address most legal issues that arise in the business and practice of medicine.