HIPAA & Cloud Computing

Submitted by


Mon, 12/19/2016 - 11:48

With the proliferation and widespread adoption of cloud computing solutions, HIPAA covered entities and business associates are unsure whether and how they can take advantage of cloud computing while complying with regulations protecting the privacy and security of electronic protected health information (ePHI). 

Cloud Services Providers (CSPs) generally offer online access to shared computing resources with varying levels of functionality depending on the users’ requirements, ranging from mere data storage to complete software solutions (e.g., an electronic medical record system), platforms to simplify the ability of application developers to create new products, and entire computing infrastructure for software programmers to deploy and test programs.   Common cloud services are on-demand internet access to computing (e.g., networks, servers, storage, applications) services.  I recommend covered entities and business associates seeking information about types of cloud computing services and technical arrangement options to consult a resource offered by the National Institute of Standards and Technology; SP 800-145, The NIST Definition of Cloud Computing - PDF.

The HIPAA Privacy, Security, and Breach Notification Rules (the HIPAA Rules) establish important protections for individually identifiable health information (called protected health information or PHI when created, received, maintained, or transmitted by a HIPAA covered entity or business associate), including limitations on uses and disclosures of such information, safeguards against inappropriate uses and disclosures, and individuals’ rights with respect to their health information. 

Covered entities and business associates must comply with the applicable provisions of the HIPAA Rules. A covered entity is a health plan, a health care clearinghouse, or a health care provider who conducts certain billing and payment related transactions electronically.  A business associate is an entity or person, other than a member of the workforce of a covered entity, that performs functions or activities on behalf of, or provides certain services to, a covered entity that involve creating, receiving, maintaining, or transmitting PHI. A business associate also is any subcontractor that creates, receives, maintains, or transmits PHI on behalf of another business associate.

When a covered entity engages the services of a CSP to create, receive, maintain, or transmit ePHI (such as to process and/or store ePHI), on its behalf, the CSP is a business associate under HIPAA.  Further, when a business associate subcontracts with a CSP to create, receive, maintain, or transmit ePHI on its behalf, the CSP subcontractor itself is a business associate.  This is true even if the CSP processes or stores only encrypted ePHI and lacks an encryption key for the data.  Lacking an encryption key does not exempt a CSP from business associate status and obligations under the HIPAA Rules.   As a result, the covered entity (or business associate) and the CSP must enter into a HIPAA-compliant business associate agreement (BAA), and the CSP is both contractually liable for meeting the terms of the BAA and directly liable for compliance with the applicable requirements of the HIPAA Rules.

This presents key questions to HIPAA regulated CSPs and their customers in understanding their responsibilities under the HIPAA Rules when they create, receive, maintain or transmit ePHI using cloud products and services.

Contact Unatek, Inc. if you need expert answers to questions like:

1. May a HIPAA covered entity or business associate use a cloud service to store or process ePHI?

2. If a CSP stores only encrypted ePHI and does not have a decryption key, is it a HIPAA business associate?

3. Can a CSP be considered to be a “conduit” like the postal service, and, therefore, not a business associate that must comply with the HIPAA Rules?&

4. Which CSPs offer HIPAA-compliant cloud services?

5.  What if a HIPAA covered entity (or business associate) uses a CSP to maintain ePHI without first executing a business associate agreement with that CSP?

6. If a CSP experiences a security incident involving a HIPAA covered entity’s or business associate’s ePHI, must it report the incident to the covered entity or business associate?

7. Do the HIPAA Rules allow health care providers to use mobile devices to access ePHI in a cloud?

8. Do the HIPAA Rules require a CSP to maintain ePHI for some period of time beyond when it has finished providing services to a covered entity or business associate?

9. Do the HIPAA Rules allow a covered entity or business associate to use a CSP that stores ePHI on servers outside of the United States?

10. Do the HIPAA Rules require CSPs that are business associates to provide documentation, or allow auditing, of their security practices by their customers who are covered entities or business associates? 

11. If a CSP receives and maintains only information that has been de-identified in accordance with the HIPAA Privacy Rule, is it is a business associate?

Unatek, Inc. has over 18 years of dedicated support to the U.S. federal government and commercial clients. Unatek is at the forefront of technological advances, government policy, envisioning the need for IT Solutions, information and operational security, investing in facilities, corporate infrastructure and personnel to expand our service offerings as a highly qualified Information Technology company. Unatek continues to be an early adopter of advanced processes, toolsets, security technologies, and services necessary to support our federal and commercial clients. Unatek's dedication and commitment has ensured lasting relationships with our government and commercial clients over the years. Unatek provides customer focused consulting and technical services to both private sector businesses and public sector organizations. With industry experts, cutting-edge technologies, and time-tested processes.Are you sure that you know what a Penetration Test is?

Share this: