The Cloud and HIPAA Compliance
On Oct. 7, the Office for Civil Rights (OCR) provided guidance for covered entities (CEs) and business associates (BAs) in the healthcare industry on the use of cloud services and cloud service providers (CSPs). The guidance will allow CEs and BAs to use cloud services while still maintaining compliance with Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification rules. Cloud computing offers an array of options for CEs and BAs, including data storage and outsourced online services. OCR’s guidance suggests that CEs and BAs familiarize themselves with the definitions of cloud services provided by the National Institute of Standards and Technology.
When a CE engages the services of another entity to create, receive, maintain, or transmit electronic protected health information (ePHI), the cloud service provider is considered a business associate. Moreover, when a business associate subcontracts with a CSP, the subcontractor is also considered a business associate. Per final omnibus rules, CEs, BAs, and subcontractor BAs are all required to adhere to HIPAA privacy and security rules.
What You Need to Know
The OCR’s guidance is organized into FAQs about solutions provided by cloud service providers. Here are the most important aspects of those FAQs:
- When a CSP is a business associate, the CSP and CE must enter into a HIPAA-compliant business associate agreement (BAA) or a service-level agreement (SLA) that includes terms consistent with a BAA as well as with HIPAA privacy and security rules. The covered entity should fully understand how the data is being used and protected, and should apply the appropriate risk management policies to the business associate.
- Per final omnibus rules, both the CE and the BA must conduct a risk analysis to identify and assess the threats and vulnerabilities associated with confidentiality, integrity, and availability of the ePHI. The extent of any assessment should be based on how the ePHI is used and how it is protected.
- Depending on how the ePHI is used, the CE, and not the BA, can be responsible for certain HIPAA security rules. For example, the covered entity may be responsible for the authentication of access to the ePHI maintained by the CSP. However, the cloud service provider would still need to document how administrative access is authenticated and what internal controls are implemented by the CSP.
- A CSP is still considered a business associate even if the CSP only stores encrypted (no-view) ePHI regardless of who possesses the decryption key. However, in this case, a CSP is not considered a “conduit” if it only has no-view access to the ePHI. OCR defines a conduit as a provider that simply transmits PHI, but does not have routine access to it (the Postal Service, for example, is a conduit).
- CEs and BAs can use mobile devices to access ePHI in the cloud as long as the appropriate safeguards are in place to provide the confidentiality, integrity, and availability of the ePHI.
- CSPs are not required to maintain ePHI beyond the time for which the CSP is providing services to the covered entity or business associate. The privacy rules state that the BAA should contain language about the return or destruction of PHI at the end of the agreement period where feasible.
- Covered entities and business associates may use CSPs that store ePHI outside of the United States if the appropriate HIPAA-compliant BAA is in place and if the CSP is following all applicable standards set forth by the HIPAA privacy and security rules.
- A CSP is not considered a business associate if the CSP only receives and maintains de-identified information.
Using cloud services can be very attractive for many healthcare organizations and covered entities. Cloud services provide appealing benefits, including ease of use, ability to access the data via a mobile device, and scalability of resources. However, using cloud services does come with risks. The risks and rewards should be weighed when engaging with a third-party service provider. If the reward does outweigh the risk, the covered entity should follow the OCR’s guidance when engaging with a cloud service provider as well as perform a due diligence third-party risk assessment that conforms to the organization’s standards.