Need answers? HHS covers 11 questions on HIPAA, cloud computing

The U.S. Department of Health and Human Services (HHS) has released a guide on HIPAA and cloud computing in an effort to improve the security of patient information.

In an effort to ensure the safety of all information, HHS has addressed questions frequently asked in regard to this new technology. The guide provides HIPAA-regulated cloud service providers (CSPs) a chance to better understand the responsibilities associated with using cloud products.

The frequently asked questions and answers are as followed:

1. May a HIPAA covered entity or business associate use a cloud service to store or process electronic protected health information (ePHI)?

Yes, as long as the covered entity makes an agreement or contract with a HIPAA-compliant business associate that states that the CSP will create, receive and maintain electronic protected health information and follows HIPPA Rules.

2. If a CSP stores only encrypted ePHI and does not have a decryption key, is it a HIPAA business associate?

Yes, it remains a business associate because the CSP still receives and maintains electronic protected health information for a covered entity.  Not having an encryption key for encrypted data does not undo the business associate status and regulations of HIPPA rules of a CSP.

3. Can a CSP be considered to be a “conduit” like the postal service and, therefore, not a business associate that must comply with the HIPAA?

CSPs that provide cloud services to a covered entity that involve the creating, receiving and maintaining of electronic protected health information are considered a business associate.

4. Which CSPs offer HIPAA-compliant cloud services?

The Office for Civil Rights does not have certain recommendations for which technology or products CSPs chose.

5.  What if a HIPAA covered entity (or business associate) uses a CSP to maintain ePHI without first executing a business associate agreement with that CSP?

The covered entity is in volition of the HIPAA rules if it uses a CSP to maintain electronic protected health information without an agreement with a business associate.

6. If a CSP experiences a security incident involving a HIPAA covered entity’s or business associate’s ePHI, must it report the incident to the covered entity or business associate?

Yes. The Security Rule at 45 CFR § 164.308(a)(6)(ii) requires business associates to report any incidences that may harm the security of information and document the incident and outcomes. That same security rule also states that agreements must require business associates report the security incident to the covered entity to which the electronic protected health information belongs.

7. Do the HIPAA rules allow healthcare providers to use mobile devices to access ePHI in a cloud?

Yes, healthcare providers are allowed to use mobile devices as long as the devices are securely protected and electronic protected health information is available on the device and the cloud. Business associate agreements from third party providers of the device will also have access to the electronic protected health information.

8. Do the HIPAA rules require a CSP to maintain ePHI for some period of time beyond when it has finished providing services to a covered entity or business associate?

No, HIPAA rules do not require business to maintain electronic protected health information past the time where services were provided to a covered entity or business associate. 

9. Do the HIPAA rules allow a covered entity or business associate to use a CSP that stores ePHI on servers outside of the United States?

Yes, as long as the covered entity enters an agreement with the CSP and follows the set rules of HIPPA.

10. Do the HIPAA rules require CSPs that are business associates to provide documentation, or allow auditing, of their security practices by their customers who are covered entities or business associates? 

No, HIPAA rules require covered entity and business associate customers to have assurances of a business associate agreement with the CSP. The CSP will keep protected health information that it creates, receives and transmits for the business under the rules set by HIPAA. The CSP is also directly liable if this information is not protected in accordance with the security rule.

11. If a CSP receives and maintains only information that has been de-identified in accordance with the HIPAA Privacy Rule, is it is a business associate?

No, if a CSP receives and maintains only de-identified information, it is not a business associate following the processes required by the Privacy Rule.