- The Center for Democracy and Technology (CDT) recently explored the ways in which HIPAA and cloud computing interconnect for organizations involved with in a FAQ. From the perspective of a healthcare organization that’s a covered entity or a vendor or conduit that may be a business associate handling protected health information (PHI) in the cloud, there are no absolutes or turn-key solutions (at least at the moment). Having a clear understanding of how to interpret healthcare law, technology and policies as they relate to their work in the cloud is non-negotiable for HIPAA compliance.
After providing some basic cloud computing facts, the FAQ dug into some pressing issues in which CDT offered its interpretation of how cloud computing technology can best be utilized while maintaining compliance. Joseph Lorenzo Hall, CDT Senior Staff Technologist, mainly works with healthcare privacy policies (as well as consumer privacy and national security) and said CDT’s objective with the FAQ was to clear up some misconceptions about cloud computing for covered entities as well as BAs while explaining how CDT interprets business associate agreements (BAAs).
No. 3 on the list – “Is a cloud service provider (CSP) a business associate under the HIPAA Privacy Rule?” – reminded readers that a big distinction in responsibility is whether the cloud service provider is “maintaining” PHI or merely “transmitting” the data. CDT also discussed how BAAs can be simplified by the organization merely encrypting its data. Hall anticipated further guidance from the Office for Civil Rights (OCR) on how transmission services fit into compliance.
There can be [some BAA confusion], and that’s part of why we wrote the FAQ. For example, if you’re doing transmission service without routine access to PHI, you’re not a BA. Or if you’re doing encrypted cloud work, the BAA can be really simple. For example, it’s not a breach if it’s appropriately encrypted.
Even in the preamble to the Final Rule, OCR said they anticipate releasing further guidance on the delineation between covered entities, BAs and subcontractors. I think HHS would agree that there are other things that need to be covered, such as not having a rule that just applies to “fire and forget” transmission services, but also a transmission service that provides the equivalent of “certified” transmission, where it really makes sure that data ends up with where it needed to go. There are richer notions of conduit services that I think HHS is trying to reach with that carve-out, but I think the onus is on OCR to provide really clear guidance.
Hall argued that while the Final Rule cleared some things up, organizations still need more clarity. A cloud service guidance package, for example, that varied based on the type of cloud service support and providers could just plug in and run with, could help. Though legal representation tends be conservative, CDT would like to see more Department of Health and Human Services guidance that “clearly sets parameters that facilitate responsible cloud service use.”