Covered entities and business associates alike should take a close look at the latest federal Cloud Guidance and an even closer look at their relationships with cloud vendors - particularly given that the Office for Civil Rights (OCR) has made it abundantly clear that it does not hesitate to enforce against entities that impermissibly disclose Protected Health Information (PHI) to vendors without satisfactory assurances in place.
In the past year, the Department of Health and Human Services, OCR has issued a number of guidance documents* to clarify its interpretation of key requirements set forth in the HIPAA Privacy and Security Rules (45 C.F.R. Part 160, 162, and 164; collectively, “the HIPAA Rules”). Its latest guidance (the Cloud Guidance) clarifies OCR’s position on cloud service providers (CSPs) as business associates, and the related requirements under the HIPAA Rules through a series of FAQs. Importantly, the Cloud Guidance applies to all CSPs equally, regardless of the level of functionality or services provided (e.g., the provision of an electronic medical record system on the cloud, versus limited application hosting).
OCR kicked off the Cloud Guidance by clarifying its position on an issue that Covered Entities and CSPs have continued to debate for quite some time: whether a CSP is a business associate if the PHI that is stored in its cloud is encrypted and the CSP does not possess the encryption key.
To learn more about this issue, please click here.