The Department of Health and Human Services has issued updated guidance on HIPAA and healthcare cloud computing to help covered bodies use the cloud without risking a HIPAA breach. The main emphasis of the guidance is the use of cloud service providers (CSPs).
Cloud service providers that are legally separate bodies from a HIPAA-covered entity are classified as business associates under HIPAA rules if the CSP is needed to create, receive, maintain, or transmit electronic protected health information (ePHI). A CSP is also classified as a business associate when a business associate of a covered body subcontracts services to the CSP that involve making, receiving, maintaining, or transmitting ePHI.
It should be noted that even when a HIPAA covered body, business associate, or subcontractor of a business associate supplies ePHI to a CSP in encrypted form, the CSP is still defined as a business associate under HIPAA Rules, even if a key to decrypt the data is not supplied.
A CSP would not be classed as a business associate and would therefore not need to adhere with HIPAA Rules if de-identified ePHI is supplied, provided data have been de-identified in adherence with the HIPAA Privacy Rule.
According to the HIPAA Security Rule, business associates are required to put in place security measures to protect the confidentiality, integrity and availability of ePHI. Limitations are also placed on the use and disclosure of ePHI. Under the HIPAA Breach Notification Rule, a CLA is required to notify the covered entity or its business associate of a breach of ePHI.
Before the services of a CSP are contracted it is important for both parties to enter into a HIPAA-compliant business associate agreement (BAA). The CSP is contractually obliged to abide by the terms of the BAA and is directly liable for ensuring compliance with HIPAA Rules. Should HIPAA Rules be violated by the CSP, Office for Civil Rights (OCR) is authorized to issue fines for non-compliance. Fines can go as high as $1.5 million per HIPAA violation category.
The importance completing a HIPAA-compliant BAA with a CSP was shown in July this year. OCR agreed to settle with Oregon Health & Science University in Portland for $2.7 million after an investigation showed that ePHI had been stored on a Google-cloud based service without a HIPAA-compliance BAA having first been agreed.
OCR suggests that along with a BAA, a service level agreement (SLA) can be used to address specific expectations including issues related to HIPAA compliance. The SLA can incorporate provisions to address the CLA’s responsibilities with respect to security, data backup and recovery, the return of data following the end of a contract, data retention, data use, disclosure limitations, and system availability and reliability. However, the SLA should be in line with the BAA and HIPAA Rules. Covered bodies should note that a SLA does not constitute a business associate agreement.
The guidance on HIPAA and cloud computing was updated after the receipt of numerous queries from covered entities and business associates showing there was considerable confusion about HIPAA and cloud computing services.
OCR points out that covered bodies should not seek advice on specific technology, products, or cloud services. OCR does not endorse, certify, or recommend any cloud service, technology, or product.
A number of commonly asked questions have been answered in the guidance on HIPAA and cloud computing which can be seen by clicking here..