OCR Issues Guidance on HIPAA and Cloud Computing.
Date posted: November 1, 2016
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently released guidance to help organizations understand the regulatory requirements surrounding cloud computing. The Health Insurance Portability and Accountability Act (HIPAA) permits covered entities and business associates to utilize cloud computing services for on-demand internet access to networks, servers, and applications. Health care organizations commonly engage cloud services providers (CSPs) offering various cloud computing features, from simple data storage to entire electronic medical records systems. The OCR guidance specifically addresses CSPs that are legally separate from a covered entity or business associate.
HIPAA sets forth safeguards for covered entities and business associates that create, receive, maintain, or transmit protected health information (PHI) or electronic PHI (ePHI). CSPs providing cloud computing services to covered entities or serving as subcontractors for business associates also qualify as business associates themselves, and must comply with applicable HIPAA requirements. Notably, even CSPs that exclusively process or store encrypted PHI and lack an encryption key for the data must act in accordance with HIPAA.
Key highlights from the OCR guidance include the following:
- Covered entities and business associates may use CSPs to store and process ePHI if the parties enter into a business associate agreement (BAA). Failure to execute a valid BAA constitutes a HIPAA violation.
- CSPs qualifying as business associates must comply with applicable HIPAA requirements regardless of whether the CSP has entered into a BAA with a covered entity or business associate.
- Covered entities and business associates may execute Service Level Agreements with CSPs to address more specific business expectations between the parties, including back-up and data recovery.
- HIPAA does not require CSPs to maintain ePHI following the period of service to a covered entity or business associate. However, CSPs must return or destroy all PHI upon termination of the BAA.
- A CSP receiving only de-identified information is not a business associate, provided that the CSP maintains and stores the information in accordance with the HIPAA Privacy Rule.
The OCR guidance is available at:
Department of Health and Human Services Office for Civil Rights. “Guidance on HIPAA & Cloud Computing.” Guidance Document. 6 Oct. 2016.