More healthcare organizations are adopting cloud computing and storing patient data in the cloud. What does this mean for ensuring HIPAA compliance?
HHS released a guidance on HIPAA and cloud computing. Here are five things to know.
1. The guidance clarifies that any cloud services provider engaged by a HIPAA-covered entity becomes a business associate under HIPAA, and therefore is subject to establishing protections, safeguards and limitations on uses and disclosures of patient information as outlined by the HIPAA rules.
2. Additionally, if a business associate subcontracts with a cloud services provider to create, receive, maintain or transmit electronic protected health information on its behalf, the cloud services provider again is deemed a business associate. "This is true even if the CSP processes or stores only encrypted ePHI and lacks an encryption key for the data," according to the guidance.
3. Therefore, cloud services providers should enter HIPAA-compliant business associate agreements with both a covered entity and other business associates with which it is doing business, and the cloud services provider becomes liable for complying with the HIPAA rules.
The guidance points to the case of Oregon Health & Science University in Portland, which in July agreed to a $2.7 million settlement for alleged HIPAA violations with the Office for Civil Rights after investigation into a data breach found providers had stored patient information on a Google-based cloud platform but did not have a contractual relationship or business associate agreement to do so.
4. However, a CSP is not considered a business associate if it receives and maintains information that has been de-identified following the processes required by HIPAA's Privacy Rule.
5. In the event a cloud services provider is breached, it still must comply with breach notification requirements that apply to business associates.
Click here to read the full guidance.
More articles on HIPAA:
Hospital officials note possible HIPAA breach at Martin Army Hospital
HIPAA awareness & compliance among medical practices: 6 key survey findings
Care New England $400k HIPAA settlement highlights importance of updated business associate agreements