The Office of Civil Rights (OCR) of the US Department of Health and Human Services (HHS) recently released guidance on cloud computing that allows entities covered by the Health Insurance Portability and Accountability Act (HIPAA) to take advantage of cloud service providers (CSPs) while still complying with HIPAA. This guidance is welcome at a time when employers are moving increasingly to an electronic atmosphere—with access to protected health information (PHI) being offered through mobile devices and data being saved on cloud platforms.

CSPs generally offer online access to sharing computer resources ranging from data storage to complete software solutions (e.g., electronic medical record systems). Common cloud services include on-demand internet access to computing services (e.g., networks, servers, storage, and applications).

OCR’s Guidance

The guidance describes OCR’s position on the obligation of covered entities and business associates that use CSPs to manage electronic PHI (ePHI). Specifically, the guidance states that CSPs are business associates even if the CSP processes or stores only encrypted data and lacks an encryption key for such data. This means that, even if the CSP cannot view the data, it is still considered a business associate.

As a result, the covered entity (or business associate, if the CSP is a downstream subcontractor to a business associate) must enter into a HIPAA-compliant business associate agreement (BAA) with the CSP provider. In addition to being contractually required to comply with HIPAA through a BAA, CSP providers are directly liable for compliance with the applicable requirements of the HIPAA rules, notably the HIPAA Security Rule’s physical, administrative, and technical safeguards.

With regard to mobile devices, the OCR guidance states that covered entities may use mobile devices to access ePHI “in the cloud” as long as appropriate physical, administrative, and technical safeguards are in place to protect the confidentiality, integrity, and availability of ePHI on the mobile device and in the cloud. This includes ensuring that appropriate BAAs are in place with any third-party service providers for the device and/or the cloud that will have access to the ePHI. OCR has issued recommendations on how to protect and secure ePHI when using a mobile device.

Next Steps

A covered entity (or business associate) that engages a CSP should conduct a risk analysis and establish risk management policies addressing its relationship with the CSP, as well as enter into a BAA with any CSP that stores its data.