Cloud Computing for HIPAA Compliance is finally gaining adoption in US Healthcare. When I attended the Medical Informatics World Conference in Boston last year, I joined an interactive breakout discussion group on "Leveraging the Cloud." Of the dozen or so people in the group, only a few people were actually using the cloud in their organization. The internet moves fast however, especially in Cloud computing. So I put together this post to answer the most frequently asked questions around Cloud computing and HIPAA compliance. To make it easier to navigate, you can click on any question and jump to the answer.
SEE ALSO: Speaking on the Future of Cloud Security at TiE Silicon Valley Without further ado, here are the Top 10 frequently asked questions around HIPAA and Cloud computing:
- May a HIPAA Covered Entity or Business Associate use a Cloud service to store or process Protected Health Information?
- If a Cloud vendor stores only encrypted ePHI and does not have a decryption key, is it a HIPAA Business Associate?
- Can a Cloud vendor be considered to be a conduit like the Postal Service and therefore not a Business Associate?
- What if a Covered Entity or Business Associate uses a Cloud vendor to maintain ePHI without first executing a Business Associate Agreement?
- If a Cloud vendor experiences a security incident involving a customer's ePHI, must it report the incident to the customer?
- Is it HIPAA Compliant to use mobile devices to access PHI in the Cloud?
- Do the HIPAA Rules require a Cloud vendor to maintain ePHI for some period of time beyond when it has finished providing services to a covered entity or business associate?
- Is it HIPAA Compliant to use a Cloud vendor that stores ePHI on servers outside of the United States?
- Under HIPAA, are Cloud vendors required to provide documentation or allow auditing of their security practices by their customers?
- If a Cloud vendor receives and maintains only information that has been de-identified in accordance with the HIPAA Privacy Rule, is it is a Business Associate?
1. May a HIPAA Covered Entity or Business Associate use a Cloud service to store or process Protected Health Information?
Yes, as long as the Covered Entity or Business Associate enters into a Business Associate Agreement (BAA) with the Cloud vendor. As a recap, the BAA establishes the permitted and required uses and disclosures of Protected Health Information (PHI) by the Business Associate performing services for the Covered Entity or Business Associate. The BAA also contractually requires the Business Associate to appropriately safeguard ePHI. This includes implementing the requirements of the Security Rule. It should be noted both Covered Entities and Business Associates must conduct recurring risk analyses to identify and assess potential threats and vulnerabilities to ePHI.
2. If a Cloud vendor stores only encrypted ePHI and does not have a decryption key, is it a HIPAA Business Associate?
Yes. Lacking an encryption key does not exempt a Cloud vendor from Business Associate status and its obligations under HIPAA guidelines. As a recap, an organization that maintains ePHI on behalf of a Covered Entity or Business Associate is itself a business associate, even if it cannot actually view the data.
3. Can a Cloud vendor be considered to be a conduit like the Postal Service and therefore not a Business Associate?
In most cases, no. Cloud vendors that provide services to a Covered Entity or Business Associate that involve creating, receiving, or maintaining electronic Protected Health Information (ePHI) meet the definition of a Business Associate. The conduit exception is limited to transmission-only services for PHI. Any access to PHI by a conduit is only transient in nature.
4. What if a HIPAA Organization uses a Cloud vendor to maintain ePHI without first executing a Business Associate Agreement?
If a HIPAA entity uses a Cloud vendor to process or store ePHI without first signing a BAA, they are in violation of HIPAA. In fact, we've written about it here: HIPAA Breaches and Cloud Providers If a Cloud vendor becomes aware that it is maintaining ePHI, it must come into compliance with the HIPAA Rules or securely return or destroy the customer's ePHI. Once the Cloud vendor securely returns or destroys the ePHI, it is no longer a considered a Business Associate.
5. If a Cloud vendor experiences a security incident involving a customer's ePHI, must it report the incident to the customer?
Yes. The HIPAA Security Rule requires HIPAA Compliant Cloud vendors to identify and respond to suspected or known security incidents. It also requires them to mitigate harmful effects of security incidents and document their outcomes. In addition, a BAA requires the Cloud vendor to report to its customers any security incidents that it becomes aware of. The Security Rule however, is both flexible and opaque. It does not mandate the level of detail, frequency, or format of reports of security incidents.
6. Is it HIPAA Compliant to use mobile devices to access PHI in the Cloud?
Yes. Health care providers, other Covered Entities, and Business Associates can use mobile devices to access electronic Protected Health Information (ePHI) in the cloud. Of course the appropriate physical, administrative, and technical safeguards must be in place to protect ePHI. This includes both on the mobile device and in the cloud. Lastly, BAAs must also be in place with any third party service providers for the device and/or the cloud vendor.
SEE RELATED: How Can You Protect and Secure Health Information When Using a Mobile Device?
7. Do the HIPAA Rules require a Cloud vendor to maintain ePHI for some period of time beyond when it has finished providing services to a covered entity or business associate?
No. HIPAA guidelines do not require a Business Associate to maintain ePHI beyond the time it provides services to a Covered Entity or Business Associate. In fact, the Privacy Rule says that a BAA requires a Business Associate to return or destroy all PHI at the termination of the BAA.
8. Is it HIPAA Compliant to use a Cloud vendor that stores ePHI on servers outside of the United States?
Yes. As long as a BAA is in place with the Cloud vendor and customer, HIPAA regulations do not specifically prohibit storing ePHI outside the U.S. There is some vagueness to this guidance however. The U.S Department of Health and Human Services ( HHS) warns that outsourcing storage of ePHI overseas may increase the risks and vulnerabilities to its protection. They also note these risks should be taken into account when conducting recurring risk analyses, which are required by the Security Rule.
9. Under HIPAA, are Cloud vendors required to provide documentation or allow auditing of their security practices by their customers?
No. Instead, HIPAA Regulations require Business Associates and Covered Entities to obtain BAA's with their respective Cloud vendor(s). The Cloud vendor is directly responsible for safeguarding electronic PHI in accordance with the HIPAA Security Rule. HIPAA Rules do not require Cloud vendors provide documentation of their security practices nor allow customers to audit their security practices. Customers may however, require a Cloud vendor to sign paperwork for additional assurances of PHI protections.
10. If a Cloud vendor receives and maintains only information that has been de-identified in accordance with the HIPAA Privacy Rule, is it is a Business Associate?
No. A Cloud vendor is not a Business Associate if it receives and maintains only de-identified information. According to the HIPAA Privacy Rule and Security Rule, de-identified information is not considered protected health information.
Bonus Question: Which Cloud vendors offer HIPAA Compliant Cloud Services?
We've put together a list here:
You can also find HIPAA Compliant Hosting through specialized vendors.
Source: Guidance on HIPAA & Cloud Computing [HHS]
Try Paubox Email Suite for FREE today.