HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Guidance on HIPAA and Cloud Computing Issued by HHS

The Department of Health and Human Services has released updated guidance on HIPAA and cloud computing to help covered entities take advantage of the cloud without risking a HIPAA violation. The main focus of the guidance is the use of cloud service providers (CSPs).

Cloud service providers that are legally separate entities from a HIPAA-covered entity are classed as business associates under HIPAA regulations if the CSP is required to create, receive, maintain, or transmit electronic protected health information (ePHI). A CSP is also classed as a business associate when a business associate of a covered entity subcontracts services to the CSP that involve creating, receiving, maintaining, or transmitting ePHI.

It is important to note that even when a HIPAA covered entity, business associate, or subcontractor of a business associate provides ePHI to a CSP in encrypted form, the CSP is still classed as a business associate under HIPAA Rules, even if a key to decrypt the data is not provided.

A CSP would not be classed as a business associate and would therefore not be required to abide by HIPAA Rules if de-identified ePHI is supplied, provided data have been de-identified in accordance with the HIPAA Privacy Rule.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

Under the HIPAA Security Rule, business associates are required to implement security measures to protect the confidentiality, integrity and availability of ePHI. Limitations are also placed on the use and disclosure of ePHI. Under the HIPAA Breach Notification Rule, a CLA is required to notify the covered entity or its business associate of a breach of ePHI.

Prior to the services of a CSP being contracted it is essential for both parties to enter into a HIPAA-compliant business associate agreement (BAA). The CSP is contractually liable to abide by the terms of the BAA and is directly liable for ensuring compliance with HIPAA Rules. Should HIPAA Rules be breached by the CSP, Office for Civil Rights (OCR) is authorized to issue fines for non-compliance. Fines can rise to $1.5 million per HIPAA violation category.

The importance of entering into a HIPAA-compliant BAA with a CSP was highlighted in July this year. OCR agreed to settle with Oregon Health & Science University in Portland for $2.7 million after an investigation revealed that ePHI had been stored on a Google-cloud based platform without a HIPAA-compliance BAA having first been obtained.

OCR suggests that in addition to a BAA, a service level agreement (SLA) can be used to address specific expectations including issues related to HIPAA compliance. The SLA can include provisions to address the CLA’s responsibilities with respect to security, data backup and recovery, the return of data following the termination of a contract, data retention, data use, disclosure limitations, and system availability and reliability. However, the SLA should be consistent with the BAA and HIPAA Rules. Covered entities should note that a SLA does not constitute a business associate agreement.

The guidance on HIPAA and cloud computing was updated following the receipt of numerous questions from covered entities and business associates indicating there was considerable confusion about HIPAA and cloud computing services.

OCR points out that covered entities should not seek guidance on specific technology, products, or cloud services. OCR does not endorse, certify, or recommend any cloud service, technology, or product.

A number of commonly asked questions have been answered in the guidance on HIPAA and cloud computing which can be viewed on this link.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.