Sign in

OCR releases guidance on Cloud Computing and HIPAA

By: Lisa Marlin

October 11, 2016

Cloud computing has the ability to help health care organizations become more efficient in our increasingly digital industry. No question there. But is it really possible for covered entities and business associates to take full advantage of cloud computing and remain HIPAA compliant in protecting the privacy and security of electronic protected health information (ePHI)? Yes, it is.

Recognizing that this can be a bit of a cloudy issue, the OCR released a guidance on October 6 that attempts to clear things up regarding cloud service providers (CSP) and HIPAA. The OCR states that the guidance presents key questions and answers to assist HIPAA-regulated CSPs and their customers in understanding their responsibilities under the HIPAA Rules when they create, receive, maintain, or transmit electronic protected health information using cloud products and services.

Here are some important basics gleaned from the guidance:

♦ Regardless of whether the cloud vendor maintains encrypted data and has no control over the encryption, the mere fact the CSP maintains ePHI renders the CSP a business associate.

♦ The covered entity (or business associate) and the CSP must enter into a HIPAA-compliant business associate agreement (BAA), and the CSP is both contractually liable for meeting the terms of the BAA and directly liable for compliance with the applicable requirements of the HIPAA Rules.

♦ CSPs are subject to breach notification rules that apply to business associates of health care providers in the event information is stolen or compromised.

♦ A CSP is not a business associate if it receives and maintains only information that has been de-identified following the processes required by the Privacy Rule. 

♦ Health care providers may access cloud-based health information via mobile devices “as long as appropriate physical, administrative and technical safeguards are in place to protect the confidentiality, integrity and availability” of the information.

You may find the new guidance on OCR’s website. You may also contact the HIPAA experts at PrivaPlan for more clarification on the guidance and any other compliance issues. We are here to help. Contact us at info@privaplan.com or call 877-218-7707.