Guidance on HIPAA and Cloud Computing Issued by HHS

HIPAA and cloud computing

Share this article on:

The Department of Health and Human Services has released updated guidance on HIPAA and cloud computing to help covered entities take advantage of the cloud without risking a HIPAA violation. The main focus of the guidance is the use of cloud service providers (CSPs).

Cloud service providers that are legally separate entities from a HIPAA-covered entity are classed as business associates under HIPAA regulations if the CSP is required to create, receive, maintain, or transmit electronic protected health information (ePHI). A CSP is also classed as a business associate when a business associate of a covered entity subcontracts services to the CSP that involve creating, receiving, maintaining, or transmitting ePHI.

It is important to note that even when a HIPAA covered entity, business associate, or subcontractor of a business associate provides ePHI to a CSP in encrypted form, the CSP is still classed as a business associate under HIPAA Rules, even if a key to decrypt the data is not provided.

A CSP would not be classed as a business associate and would therefore not be required to abide by HIPAA Rules if de-identified ePHI is supplied, provided data have been de-identified in accordance with the HIPAA Privacy Rule.

Under the HIPAA Security Rule, business associates are required to implement security measures to protect the confidentiality, integrity and availability of ePHI. Limitations are also placed on the use and disclosure of ePHI. Under the HIPAA Breach Notification Rule, a CLA is required to notify the covered entity or its business associate of a breach of ePHI.

Prior to the services of a CSP being contracted it is essential for both parties to enter into a HIPAA-compliant business associate agreement (BAA). The CSP is contractually liable to abide by the terms of the BAA and is directly liable for ensuring compliance with HIPAA Rules. Should HIPAA Rules be breached by the CSP, Office for Civil Rights (OCR) is authorized to issue fines for non-compliance. Fines can rise to $1.5 million per HIPAA violation category.

The importance of entering into a HIPAA-compliant BAA with a CSP was highlighted in July this year. OCR agreed to settle with Oregon Health & Science University in Portland for $2.7 million after an investigation revealed that ePHI had been stored on a Google-cloud based platform without a HIPAA-compliance BAA having first been obtained.

OCR suggests that in addition to a BAA, a service level agreement (SLA) can be used to address specific expectations including issues related to HIPAA compliance. The SLA can include provisions to address the CLA’s responsibilities with respect to security, data backup and recovery, the return of data following the termination of a contract, data retention, data use, disclosure limitations, and system availability and reliability. However, the SLA should be consistent with the BAA and HIPAA Rules. Covered entities should note that a SLA does not constitute a business associate agreement.

The guidance on HIPAA and cloud computing was updated following the receipt of numerous questions from covered entities and business associates indicating there was considerable confusion about HIPAA and cloud computing services.

OCR points out that covered entities should not seek guidance on specific technology, products, or cloud services. OCR does not endorse, certify, or recommend any cloud service, technology, or product.

A number of commonly asked questions have been answered in the guidance on HIPAA and cloud computing which can be viewed on this link.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On