Health care providers that store electronic protected health information on the cloud should pay attention to the new guidance the federal government released.
The guidance makes clear that when a covered entity engages a cloud services provider (“CSP”) to create, receive, maintain or transmit ePHI, the CSP is a business associate of the covered entity. Interestingly, the cloud service provider is still considered a business associate even if the CSP stores only encrypted ePHI and does not have a decryption key. A covered entity or business associate that uses a CSP for ePHI without entering into a business associate agreement is in violation of HIPAA.
Covered entities should perform a risk management assessment of the CSP service and relationship. Depending on whether the CSP provides a public, hybrid or private cloud service, the risk management program surrounding the covered entity’s use of the CSP will vary. The covered entity should examine whether it’s the CPS’s or its own responsibility to encrypt and to provide authentication, and protect accordingly.
The guidance also makes clear that HIPAA does not require the information to be kept on cloud servers in the US. And it stated that the HIPAA Rules allow health care providers to use mobile devices to access ePHI in a cloud, something generally understood to be permissible.
If you utilize a CSP for PHI and have questions about whether your relationship properly complies with HIPAA or would like your business associate agreement with the CSP reviewed, call us.
