How cloud service providers are defined by HIPAA

HIPAA defines cloud service providers as business associates when they handle patient data on behalf of covered entities or business associates. 

What are cloud service providers (CSPs)? 

The NIST defined cloud computing as, “Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared

pool of configurable computing resources (e.g., networks, servers, storage, applications, and services)...”

CSPs are companies that offer networked computer system resources and services like data storage and computing power. The services are hosted in the cloud instead of local servers of personal devices. CSPs allow businesses and individuals to access powerful computing resources without the need for hefty capital investment in physical infrastructure. 

CSPs offer services under models like Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS), each serving different levels of management and customization based on user needs. 

Defining CSPs under HIPAA

CSPs that manage electronic protected health information (ePHI) on behalf of covered entities are defined as business associates. According to the HHS, “...when a business associate subcontracts with a CSP to create, receive, maintain, or transmit ePHI on its behalf, the CSP subcontractor itself is a business associate.” This means that as a business associate responsible for creating, receiving, maintaining, or transmitting ePHI, they need to comply with the Privacy, Security, and Breach Notification rules to protect the data they handle. 

Ensuring security when transacting with CSPs

• Conducting due diligence: Before organizations perform due diligence it is necessary to make sure that the CSP’s security policies, procedures, and compliance requirements of the organization. 
• Business associate agreement: Set up a business associate agreement (BAA) that establishes the roles, responsibilities, and liabilities of both parties related to protecting ePHI. 
• The shared responsibility model: Define the security controls that need to be managed by the CSP and what needs to be handled by the healthcare organization. This creates a clear outline of the demarcation of roles and shared responsibility for debt. 
• Service level agreements: Setting up agreements stipulating the security and compliance metrics negotiated allows for clearer terms regarding penalties for underperformance. 

Related: HIPAA Compliant Email: The Definitive Guide

FAQs

What is a covered entity? 

An organization that provides healthcare services or pays for the cost of care and engages in certain electronic transactions covered under HIPAA. 

What is a business associate?

A person or entity that performs certain functions or activities on behalf of covered entities. 

What is a subcontractor?

A company hired by a business associate to help fulfill their duties and activities on of a covered entity.