Office for Civil Rights Issues Guidance on HIPAA and Cloud Computing

PUBLISHED: Oct 10, 2016

The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has issued new guidance to assist organizations, including cloud service providers (CSPs), in understanding their HIPAA obligations. The guidance presents key questions and answers to assist HIPAA-regulated CSPs and their customers in understanding their responsibilities under the HIPAA Rules when they create, receive, maintain, or transmit electronic protected health information using cloud products and services.

The guidance specifically focuses on cloud resources offered by CSPs that are an entity legally separate from the covered entity or business associate considering the use of its services. CSPs generally offer online access to shared computing resources with varying levels of functionality depending on the users’ requirements, ranging from mere data storage to complete software solutions (e.g., an electronic medical record system), platforms to simplify the ability of application developers to create new products, and entire computing infrastructure for software programmers to deploy and test programs. Common cloud services are on-demand internet access to computing (e.g., networks, servers, storage, applications) services.

Key points from the guidance include:

  • When a covered entity engages the services of a CSP to create, receive, maintain, or transmit ePHI (such as to process and/or store ePHI), on its behalf, the CSP is a business associate under HIPAA.
  • When a business associate subcontracts with a CSP to create, receive, maintain, or transmit ePHI on its behalf, the CSP subcontractor itself is a business associate.
  • Note: This is true even if the CSP processes or stores only encrypted ePHI and lacks an encryption key for the data. Lacking an encryption key does not exempt a CSP from business associate status and obligations under the HIPAA Rules. As a result, the covered entity (or business associate) and the CSP must enter into a HIPAA-compliant business associate agreement (BAA), and the CSP is both contractually liable for meeting the terms of the BAA and directly liable for compliance with the applicable requirements of the HIPAA Rules.

Included with today’s notice are sample business associate agreement provisions and considerations for BAAs with cloud services providers. Covered entities should review the entire HHS OCR guidance and also consult with legal counsel prior to entering into any BAA agreements.

Want to read the full alert and receive alert emails?

Browse Additional Alerts