Blog

Add to RSS
 
  Back to top
08 June 2017

Are Your Cloud Computing Arrangements HIPAA-Compliant?

Share this Post

Post Tags

The use of third-party cloud service providers (CSP) is becoming increasingly popular in today’s business environment.  Not surprisingly, “covered entities” and “business associates,” as those terms are defined under the Health Insurance Portability and Accountability Act (HIPAA), are also exploring various cloud-based solutions related to the maintenance of protected health information (PHI).

The good news is: the Office of Civil Rights (OCR) has confirmed that covered entities and business associates may contract with CSPs to create, receive, maintain or transmit PHI on behalf of the covered entity or business associate.  But, such relationships must comply with HIPAA’s privacy, security and breach notification rules.  In effort to promote compliance with these rules, OCR issued helpful guidance, which is available here: https://www.hhs.gov/hipaa/for-professionals/special-topics/cloud-computing/index.html.

We recommend that any covered entity or business associate that is contemplating the use of a CSP with respect to PHI carefully review this OCR guidance.  For your convenience, however, here is a high-level summary of OCR’s guidance:

  • The covered entity or business associate, and the CSP must enter into a HIPAA-compliant business associate agreement (“BAA”). In fact, the use of a CSP to maintain PHI without a BAA is a violation of HIPAA.  (OCR recently entered into a settlement agreement with a covered entity in which the covered entity agreed to pay a fine of $2.7 million for potential HIPAA violations resulting from the use of a CSP without a BAA.)
  • The covered entity or business associate must understand the CSP’s cloud computing environment or solution so that the appropriate risk analysis can be conducted.
  • A CSP is also a business associate. As a result, a CSP must comply with HIPAA and is directly liable for any violations of HIPAA.
  • A CSP will rarely, if ever, qualify for HIPAA’s exception to the definition of business associate under the “conduit” exception.
  • A covered entity or business associate may use mobile devices to access PHI that is maintained on the cloud, as long as the appropriate physical, administrative and technical safeguards are in place to protect the PHI.
  • A CSP that only receives and maintains de-identified PHI is not a HIPAA business associate. As a result, the HIPAA rules don’t apply to a CSP that only receives and maintains de-identified PHI.

Please contact any member of Miller Johnson’s Privacy and Data Security team if you have any questions or would like assistance evaluating whether your relationships with CSPs are HIPAA-compliant.

Post authored by Tripp VanderWal.

Email Disclaimer 

Please be advised that contacting Miller Johnson or one of its attorneys by email does not constitute establishing an attorney-client relationship or otherwise confidential relationship between you and the Firm. Please do not give us any information you regard as confidential until a formal attorney-client relationship has been established. Any information you give to us before establishing an attorney-client relationship will not be regarded as privileged or confidential. Do you wish to proceed?

Cancel I agree

Publication Signup 

To receive firm communications, please select from the list of topics, complete your contact information, and Sign Up below.