HHS has released updated guidance on HIPAA and cloud computing to help covered entities take advantage cloud services without risking a HIPAA violation. The main focus is the use of CSPs (cloud service providers) .
CSPs are legally separate entities from a covered entity and are classed as business associates (BA’s) under HIPAA regulations. If the CSP is required to create, receive, maintain, or transmit electronic protected health information (ePHI), they are required to be HIPAA complaint.
It is important to note that even when a HIPAA CE, BA, or subcontractor of a BA provides ePHI to a cloud service provider in encrypted form, they are still classed as a BA under current HIPAA Regulations, even if a key to decrypt the data is not provided to them.
A cloud service provider is not a business associate and is not be required to be HIPAA compliant if de-identified PHI provided data has been de-identified in accordance with HIPAA Privacy.
Under the HIPAA Security Rule, BA’s are also required to implement security policies and procedures to protect the confidentiality, integrity and availability of ePHI. Limitations are also placed on the use and disclosure of PHI. Under the HIPAA Breach Notification Rule, the CSP is required to notify the covered entity or its business associate of a breach of ePHI.
Both parties are required to enter into a HIPAA-compliant business associate agreement. The CSP is contractually bound to abide by the terms of thebusiness associate agreement and is directly responsible for maintaining compliance with HIPAA. Should HIPAA Rules be breached by the CSP, Office for Civil Rights (OCR) is authorized to issue fines for non-compliance. Fines can rise to $1.5 million per HIPAA violation category.
OCR suggests that in addition to a BAA, a service level agreement (SLA) can be used to address specific expectations related to HIPAA security compliance. The SLA can include provisions to address the CSP’s responsibilities with respect to security, data backup and recovery, the return of data following the termination of a contract, disclosure limitations, data use, data retention, and system availability and reliability. However, the SLA should be consistent with the BAA and HIPAA Regulations.
OCR points out that covered entities should not seek guidance on specific technology, products, or cloud services. OCR does not endorse, certify, or recommend any cloud service, technology, or product.
The guidance on HIPAA and cloud computing was updated following the receipt of numerous questions from covered entities and business associates indicating there was considerable confusion about HIPAA and cloud computing services.
A number of commonly asked questions have been answered in the guidance on HIPAA and cloud computing which are available at https://www.hhs.gov/hipaa/for-professionals/special-topics/cloud-computing/index.html