ELEVATE YOUR HIPAA COMPLIANCE: Explore Our Enhanced Toolkit Today
Access Toolkit
Purchase Toolkit
Back to Blog

OCR releases guidance on Cloud Computing and HIPAA

Cloud computing has the ability to help health care organizations become more efficient in our increasingly digital industry. No question there. But is it really possible for covered entities and business associates to take full advantage of cloud computing and remain HIPAA compliant in protecting the privacy and security of electronic protected health information (ePHI)? Yes, it is.

Recognizing that this can be a bit of a cloudy issue, the OCR released a guidance on October 6 that attempts to clear things up regarding cloud service providers (CSP) and HIPAA. The OCR states that the guidance presents key questions and answers to assist HIPAA-regulated CSPs and their customers in understanding their responsibilities under the HIPAA Rules when they create, receive, maintain, or transmit electronic protected health information using cloud products and services.

Here are some important basics gleaned from the guidance:

♦ Regardless of whether the cloud vendor maintains encrypted data and has no control over the encryption, the mere fact the CSP maintains ePHI renders the CSP a business associate.

♦ The covered entity (or business associate) and the CSP must enter into a HIPAA-compliant business associate agreement (BAA), and the CSP is both contractually liable for meeting the terms of the BAA and directly liable for compliance with the applicable requirements of the HIPAA Rules.

♦ CSPs are subject to breach notification rules that apply to business associates of health care providers in the event information is stolen or compromised.

♦ A CSP is not a business associate if it receives and maintains only information that has been de-identified following the processes required by the Privacy Rule. 

♦ Health care providers may access cloud-based health information via mobile devices “as long as appropriate physical, administrative and technical safeguards are in place to protect the confidentiality, integrity and availability” of the information.

You may find the new guidance on OCR’s website. You may also contact the HIPAA experts at PrivaPlan for more clarification on the guidance and any other compliance issues. We are here to help. Contact us at info@privaplan.com or call 877-218-7707.

Related Posts

Recent Posts

Categories
Tags
AI Articles artificial intelligence Blog board Breach business associate CISO cyber risk cybersecurity cybersecurity awareness training electronic medical records email breach executive order Federal HIPAA Changes Final Rule health care health privacy HIPAA hipaa compliance HIPAA Training Meaningful Use Medicare multi-factor authentication OCR ONC passwords PHI phishing Policies & Procedures policies and procedures Privacy Quotes Ransomware Security Security Risk Analysis security training Service Technology Testimonials toolkit Training Materials two-step authentication website analytics website trackers

Get Started Today

Email us at info@privaplan.com or submit the form below:

Sign Up for Updates

Contact PrivaPlan

Telephone Sales & Support
505-466-1432  or
Toll Free: 1-877-218-7707
Fax: 505-466-3942

E-Mail Sales & Support
Customer Support: support@PrivaPlan.com
Sales: orders@PrivaPlan.com

Mailing Address:
PrivaPlan
5 Caliente Rd, Ste 3,
Santa Fe, NM 87508

© 2024 PrivaPlan Associates, Inc, all rights reserved.

FOLLOW US

Linkedin Envelope

Access PrivaPlan Toolkit

Click here to access

Access CMA-PrivaPlan Toolkit

Click here to access

Sign up for updates

  • Be Proactive In Compliance

Sign up. Learn about Compliance

Subscribe now for up-to-date information about privacy & security compliance! You’ll receive emails regarding news about compliance & alerts for new blog posts.