DHS Issues Guidance on HIPAA and Cloud Computing

• By: Staff Editor
• Date: October 25, 2016
• Source: http://www.natlawreview.com/article/department-health-and-human-services-issues-guidance-hipaa-and-cloud-providers

DHS Issues Guidance on HIPAA and Cloud Computing

Cloud computing, an indelible part of healthcare systems and networks today, will now be regulated and brought under the HIPAA fold. DHS released the guidance that details the requirements for cloud computing service providers (CSP providers), clarifying that CSPs that create, receive, maintain, or transmit PHI (protected health information) on behalf of a business associate or covered entity are deemed business associates according to HIPAA.

In particular, this guidance will strongly apply to medical device manufacturers who store data on the cloud and access it regularly.

Key questions addressed in the guidance include:

• May a HIPAA covered entity or business associate use a cloud service to store or process ePHI?
• If a CSP stores only encrypted ePHI and does not have a decryption key, is it a HIPAA business associate?
• Can a CSP be considered to be a “conduit” like the postal service, and, therefore, not a business associate that must comply with the HIPAA Rules?
• Which CSPs offer HIPAA-compliant cloud services?
• What if a HIPAA covered entity (or business associate) uses a CSP to maintain ePHI without first executing a business associate agreement with that CSP?
• Do the HIPAA Rules allow health care providers to use mobile devices to access ePHI in a cloud?

The HHS guidance has addressed these questions and more to ensure clarity in adhering to HIPAA requirements.

Related Training:

Understanding HIPAA Security Rule Requirements