On October 6, 2016, The Department of Health and Human Services Office for Civil Rights (OCR) released HIPAA guidance on cloud computing in order to help business associates and covered entities better understand their HIPAA obligations in the cloud. This information is much needed, as most businesses want to take advantage of cloud computing, but aren’t aware of all the technical arrangements necessary to set up a compliant cloud infrastructure. It also reminds cloud service providers (CSPs), like OnRamp, of their responsibilities.
Based on the conversations we have with our customers and partners on a regular basis, these points from the guidance are the most asked and misunderstood:
- CSPs that create, receive, maintain or transmit electronic protected health information (ePHI) are classified as “business associates” under HIPAA. As a HIPAA business associate, the CSP must comply with all applicable HIPAA requirements.
- A CSP that stores encrypted ePHI without a decryption key is considered a business associate under HIPAA. Although encryption prevents against unauthorized use of ePHI, it does not address other HIPAA requirements applicable to the CSP.
- A business associate and/or covered entity that uses a CSP for ePHI without having a signed business associate agreement violates HIPAA. The CSP is considered a business associate, and, therefore, is also liable and required to report known security incidents.
- CSPs may store ePHI on servers outside of the U.S. Even if your servers reside outside of the U.S., you must comply with the same HIPAA regulations. However, the HHS notes that risks and vulnerabilities may increase based on the geographic location and its propensity for attempted attacks.
- CSP business associates are not required to maintain ePHI after their agreement has ended. That sensitive data must be returned or destroyed.
- Healthcare providers are allowed to use mobile devices to access ePHI. Prior to doing so, the healthcare organization should have the appropriate physical, administrative, and technical safeguards to protect the sensitive information.
Know someone who would benefit from knowing about OCR’s guidance on HIPAA compliant cloud? Be sure to share this information with them.
Additional Resources on This Topic