HIPPA Cloud Computing Guidance Issued by HHS

by | Oct 12, 2016

The Department of Health and Human Services has issued updated guidance on HIPAA and healthcare cloud computing to help covered bodies use the cloud without risking a HIPAA breach. The main emphasis of the guidance is the use of cloud service providers (CSPs).

Cloud service providers that are legally separate bodies from a HIPAA-covered entity are classified as business associates under HIPAA rules if the CSP is needed to create, receive, maintain, or transmit electronic protected health information (ePHI). A CSP is also classified as a business associate when a business associate of a covered body subcontracts services to the CSP that involve making, receiving, maintaining, or transmitting ePHI.

It should be noted that even when a HIPAA covered body, business associate, or subcontractor of a business associate supplies ePHI to a CSP in encrypted form, the CSP is still defined as a business associate under HIPAA Rules, even if a key to decrypt the data is not supplied.

A CSP would not be classed as a business associate and would therefore not need to adhere with HIPAA Rules if de-identified ePHI is supplied, provided data have been de-identified in adherence with the HIPAA Privacy Rule.

According to the HIPAA Security Rule, business associates are required to put in place security measures to protect the confidentiality, integrity and availability of ePHI. Limitations are also placed on the use and disclosure of ePHI. Under the HIPAA Breach Notification Rule, a CLA is required to notify the covered entity or its business associate of a breach of ePHI.

Before the services of a CSP are contracted it is important for both parties to enter into a HIPAA-compliant business associate agreement (BAA). The CSP is contractually obliged to abide by the terms of the BAA and is directly liable for ensuring compliance with HIPAA Rules. Should HIPAA Rules be violated by the CSP, Office for Civil Rights (OCR) is authorized to issue fines for non-compliance. Fines can go as high as $1.5 million per HIPAA violation category.

The importance completing a HIPAA-compliant BAA with a CSP was shown in July this year. OCR agreed to settle with Oregon Health & Science University in Portland for $2.7 million after an investigation showed that ePHI had been stored on a Google-cloud based service without a HIPAA-compliance BAA having first been agreed.

OCR suggests that along with a BAA, a service level agreement (SLA) can be used to address specific expectations including issues related to HIPAA compliance. The SLA can incorporate provisions to address the CLA’s responsibilities with respect to security, data backup and recovery, the return of data following the end of a contract, data retention, data use, disclosure limitations, and system availability and reliability. However, the SLA should be in line with the BAA and HIPAA Rules. Covered bodies should note that a SLA does not constitute a business associate agreement.

The guidance on HIPAA and cloud computing was updated after the receipt of numerous queries from covered entities and business associates showing there was considerable confusion about HIPAA and cloud computing services.

OCR points out that covered bodies should not seek advice on specific technology, products, or cloud services. OCR does not endorse, certify, or recommend any cloud service, technology, or product.

A number of commonly asked questions have been answered in the guidance on HIPAA and cloud computing which can be seen by clicking here..

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy