Today, the Department of Health and Human Services’ Office for Civil Rights (OCR) has issued cloud computing guidance for HIPAA covered entities. The new guidance was issued in response to numerous questions that had been asked by covered entities and their business associates about how cloud services could be adopted without falling afoul of HIPAA Rules. The new cloud computing guidance for HIPAA covered entities can also be used by cloud services providers (CSPs) to learn about their obligations under HIPAA Rules when contracted to work with healthcare organizations.
The cloud offers many benefits to covered entities and a wide range of cloud services are now available, from data storage to housing electronic health record systems. However, before any cloud services are used, a covered entity must ensure that protections are in place to ensure the confidentiality, integrity, and availability of ePHI.
Health Insurance Portability and Accountability Act Rules must be followed by all covered entities and their business associates. Typically, a covered entity is a health plan, healthcare provider, or healthcare clearinghouse. A business associate is any person or organization that performs functions on behalf of the covered entity that involve creating, receiving, maintaining, or transmitting ePHI. HIPAA Rules also apply to any subcontractor of a business associate of a covered entity.
A CSP would become a business associate if it provided services that involve creating, receiving, maintaining, or transmitting ePHI and would therefore be required to comply with HIPAA Rules. Prior to any ePHI being provided to a business associate, the covered entity and that business associate must enter into a HIPAA-compliant business associate agreement or BAA. The BAA outlines the responsibilities and contractual liabilities of the business associate with respect to ePHI.
The failure to enter into a HIPAA-compliant BAA is a violation of HIPAA Rules and can result in financial penalties being issued to the covered entity. If a business associate – a CSP for example – enters into a BAA and fails to fulfil its obligations with respect to keeping ePHI secure, OCR can fine the BA/CSP directly.
The new guidance covers some of the common questions asked by covered entities and their business associates and explains the responsibilities of both CSPs and covered entities under the HIPAA Privacy, Security, and Breach Notification Rules.
The cloud computing guidance for HIPAA covered entities can be viewed here.