October 24, 2016
Area(s) of Interest: Health Information Technology HIPAA Patient Privacy Licensing & Regulatory Issues
The U.S. Department of Health and Human Services Office of Civil Rights (OCR) recently released updated guidance on the use of cloud computing for the storage or transmission of electronic personal health information (ePHI). The new guidance clarifies that cloud service providers are considered "business associates" under HIPAA, even if the provider only stores encrypted data and doesn't have a decryption key to view the data.
This means that if a covered entity (or business associate) uses a cloud service provider to maintain ePHI without entering into a business associate agreement, the covered entity (or business associate) is in violation of HIPAA.
“As a business associate, a cloud service provider providing no-view services is not exempt from any otherwise applicable requirements of the HIPAA Rules,” OCR said. “However, the requirements of the rules are flexible and scalable to take into account the no-view nature of the services provided by the [cloud service provider].” Cloud service providers generally offer online access to shared computing resources with varying levels of functionality ranging from data storage to complete software solutions (e.g., an electronic health record system), platforms to simplify the ability of application developers to create new products, and entire computing infrastructure for software programmers to deploy and test programs.
The guidance also includes answers to several other common questions related to cloud computing and HIPAA. To read the guidance in its entirety, click here.
For more information, see CMA On-Call document #3301 "Physician Use of Mobile Devices and Cloud Computing." CMA On-Call documents are available free to members in CMA's online health law library at www.cmadocs.org/health-law-library. Nonmembers can purchase documents for $2 per page in the CMA Resource Library.