There has historically been confusion surrounding cloud service providers (CSP) and their related HIPAA compliance. To help provide clarity, the Department of Health and Human Services’ Office for Civil Rights (OCR) released guidance on HIPAA and cloud computing.
Healthcare organizations looking to implement cloud computing services to manage protected health information can use this guidance as a resource to address their HIPAA compliance concerns.
Are Cloud Providers Business Associates?
The big question in the healthcare sector revolves around whether or not CSPs qualify as business associates, and therefore, whether HIPAA regulations apply to them. For the most part, the answer is yes.
If a CSP is used to create, receive, maintain, store, or transmit protected health information on behalf of a HIPAA-regulated entity, they are in fact a business associate under HIPAA. The same applies to CSPs that only store encrypted information and don’t keep the decryption key.
They only exception to this related to de-identified information. A CSP does not qualify as a business associate if it only receives and maintains information that’s de-identified following the protocols in the HIPAA Privacy Rule.
Business Associate Agreements
With CSPs falling under the umbrella of business associates, the discussion turns to the required agreements healthcare organizations need to have in place.
To comply with HIPAA, CSPs must enter into a business associate agreement (BAA) with the HIPAA-regulated entity they are engaging. CSPs will therefore be contractually liable under the BAA, and directly liable as a business associate for compliance with any applicable requirements under HIPAA rules.
Other Service Level Agreement provisions will need to be addressed and considered with the HIPAA rules in mind. SLA provisions often touch on system availability and data recovery, and these are specific areas addressed under HIPAA.
BAAs with CSPs also need to include incident notification provisions. HIPAA Security Rule requires business associates to report any security incidents to the covered entity or upstream business associate.
Cloud services are often adopted in the healthcare sector as a means of cost saving or increased efficiency in operations. Companies engaging in cloud services need to perform a risk assessment to get an understanding of how their practices involving protected health information are affected.
As far as HIPAA compliance is concerned, OCR has given the healthcare sector a definitive answer: CSPs are considered business associates under HIPAA even if they only store encrypted ePHI.