- The Department of Health and Human Services (HHS) recently released updated HIPAA cloud computing guidance to help covered entities and business associates understand how to take advantage of cloud computing while still remaining HIPAA compliant. It also aims to help cloud service providers (CSPs) better understand HIPAA regulations.
Cloud resources offered by CSPs that are legally separate entities from a covered entity or business associate considering the use of its services are the main focus of the guidance, HHS explains on its website.
“When a covered entity engages the services of a CSP to create, receive, maintain, or transmit ePHI (such as to process and/or store ePHI), on its behalf, the CSP is a business associate under HIPAA,” the guidance states. “Further, when a business associate subcontracts with a CSP to create, receive, maintain, or transmit ePHI on its behalf, the CSP subcontractor itself is a business associate.”
HHS emphasized the fact that covered entities or business associates must enter into a business associates agreement with their chosen CSP, as each party will be “contractually liable for meeting the terms of the BAA and directly liable for compliance with the applicable requirements of the HIPAA Rules.”
Covered entities and business associates can also store or process ePHI in a cloud service, according to HHS.
“Among other things, the BAA establishes the permitted and required uses and disclosures of ePHI by the business associate performing activities or services for the covered entity or business associate, based on the relationship between the parties and the activities or services being performed by the business associate,” the guidance states. “The BAA also contractually requires the business associate to appropriately safeguard the ePHI, including implementing the requirements of the Security Rule.”
A service level agreement (SLA) could also be beneficial in addressing more specific business expectations between the CSP and its customer. For example, the provisions could cover the following areas:
- System availability and reliability;
- Back-up and data recovery (e.g., as necessary to be able to respond to a ransomware attack or other emergency situation);
- Manner in which data will be returned to the customer after service use termination;
- Security responsibility; and
- Use, retention and disclosure limitations.
It is also important to note that a CSP is still considered a HIPAA business associate if it only stores encrypted ePHI and does not have a decryption key. Even if an organization cannot actually view the ePHI it is maintaining for a covered entity or business associate, it is still considered a business associate under HIPAA regulations.
While encryption protects ePHI by significantly reducing the risk of the information being viewed by unauthorized persons, such protections alone cannot adequately safeguard the confidentiality, integrity, and availability of ePHI as required by the Security Rule. Encryption does not maintain the integrity and availability of the ePHI, such as ensuring that the information is not corrupted by malware, or ensuring through contingency planning that the data remains available to authorized persons even during emergency or disaster situations.
The HIPAA cloud computing guidance also discusses cloud computing considerations in relation to the HIPAA Privacy, Security, and Breach Notification rules. Covered entities and business associates must still ensure that they are adhering to those rules and maintaining ePHI security, even while using cloud services.
Another key takeaway was that healthcare organizations that are trying to find HIPAA-compliant cloud services should not seek OCR’s input as “OCR does not endorse, certify, or recommend specific technology or products.”
The guidance included several other common questions and then answers related toward cloud computing and how it may affect covered entities or business associates in how they handle and maintain ePHI security.
To read the guidance in its entirety, click here: