New Guidance on HIPAA and Cloud Computing Issued by the Department of Health and Human Services

As the health care industry continues to utilize new cloud computing technologies, the U.S. Department of Health and Human Services (“HHS”) issued guidance on how such technologies can be implemented while remaining compliant with the HIPAA Privacy, Security and Breach Notification Rules (the “ HIPAA Rules”).

Specifically, HHS explained that when covered entities or business associates engage cloud service providers (“CSPs”) to create, receive, maintain or transmit electronic protected health information (“ePHI”), the CSPs are considered business associates under HIPAA. Thus, the CSPs must enter into Business Associate Agreements (“BAAs”) with their customers obligating them to meet HIPAA standards and protect the privacy and security of ePHI they may receive. HHS also acknowledged that it has become common practice for CSPs to enter into Service Level Agreements (“SLAs”) with their customers. Covered entities and business associates who enter into SLAs must ensure that the terms of the SLA are consistent with their BAA and the HIPAA Rules.

It is important to note that, even if a CSP only receives encrypted ePHI and does not have the ability to decrypt and view the data, it is nonetheless obligated to comply with HIPAA. Encryption alone is not an adequate safeguard to protect the privacy and security of ePHI. However, as HHS explained, when a CSP does not view the ePHI it receives, certain HIPAA requirements may be satisfied for both the CSP and its customer through the action of only one of the parties. For example, control over who may access the ePHI may be the sole responsibility of the customer and encryption may be the sole responsibility of the CSP. In such cases, the terms of the BAA between the CSP and the customer should describe how each party will address its responsibilities under the HIPAA Rules.

In addition, while the risk of a breach of unsecured ePHI may be low for a CSP who does not decrypt the ePHI it receives, the CSP must nonetheless have breach notification policies in place. CSPs must notify their customers if a HIPAA breach occurs and failure to do so may subject the CSP to direct liability. Moreover, CSPs cannot block a customer’s access to ePHI in a way that inhibits the customer to meet its obligations under the HIPAA Rules, including the obligation to provide individuals with access the their ePHI and an accounting of certain disclosures of their ePHI.

Both the CSPs and their customers must conduct risk assessments to identify potential threats and vulnerabilities to the privacy and security of ePHI they maintain. Thus, covered entities and business associates that engage a CSP should have an adequate understanding of how the cloud computing will function in order to conduct their risk assessment.