In recent guidance, OCR confirmed a number of positions it has taken informally over the years regarding how HIPAA affects cloud computing arrangements. For example, OCR stated that a company that stores protected health information (PHI) in the cloud for an entity subject to HIPAA is a business associate, even if the PHI is encrypted and the business associate has no way to access it. Failure to enter into a business associate agreement with a cloud service provider (CSP) storing PHI would violate the HIPAA regulations. OCR noted that CSPs generally do not qualify as conduits that would not need to enter into business associate agreements.
CSPs may store PHI outside of the United States, although the risks associated with such arrangements must be analyzed. A particularly helpful portion of the guidance makes it clear that a business associate is not required to subject itself to audits by the covered entity or provide special documentation to the covered entity documenting its security practices. The guidance is designed to assist both CSPs and the covered entities and business associates that use them.