New guidance lays out HIPAA obligations for cloud computing
The Department of Health and Human Services has published new guidance on complying with HIPAA privacy, security and breach notification rules when using cloud computing technology.
The guidance gives insights for providers, business associates and cloud computing vendors. Some of the guidance is basic and well-known to many HIPAA-covered entities. The first question, for instance, considers if a HIPAA-covered entity or business associate may use a cloud service to store or process electronic protected health information (ePHI). The answer is yes, provided the vendor enters into a business associate agreement that specifies how HIPAA compliance will be maintained.
But overall, the guidance will help providers develop a better idea of the current and ongoing security status of cloud vendors and other business associates (BAs). For instance, HHS in the guidance emphasizes the importance of data encryption but also warns not to rely on encryption at the expense of additional protections:
“While encryption protects ePHI by significantly reducing the risk of information being viewed by unauthorized persons, such protections alone cannot adequately safeguard the confidentiality, integrity and availability of ePHI as required by the Security Rule. Encryption does not maintain the integrity and availability of ePHI, such as ensuring that the data remains available to authorized persons even during emergency or disaster situations. Further, encryption does not address other safeguards that are also important to maintaining confidentiality, such as administrative safeguards to analyze risks to the ePHI or physical safeguards for systems and servers that may house the PHI.”
The guidance reaffirms that HIPAA-covered entities (providers or business associates) cannot use a cloud service provider without first having executed a business associate agreement (BAA), and notes a resolution agreement and corrective action plan that was imposed on a covered entity that stored ePHI of more than 3,000 persons on a cloud server without a BAA.
“Further, a cloud service provider (CSP) that meets the definition of a business associate—that is a CSP that creates, receives, maintains or transmits PHI on behalf of a covered entity or another business associate—must comply with all applicable provisions of the HIPAA Rules, regardless of whether it has executed a BAA with the entity using its services.”
Under HIPAA, cloud service providers, as well as other business associates, must report security incidents involving ePHI of a HIPAA covered entity or business associate, the HHS guidance notes. “A security incident means the attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in an information system. Thus, a business associate CSP must implement policies and procedures to address and document security incidents, and must report security incidents to its covered entity or business associate customer.”
Also under HIPAA, providers can use mobile devices to access ePHI from a cloud platform as long as appropriate safeguards and BAAs are in place. Guidance on securing ePHI on mobile devices is available here.
In general, HIPAA does not require cloud service providers and other business associates to maintain ePHI past the time it was used to serve a covered entity or business associate. However, BAs must return or destroy all PHI at termination of the BAA. There is additional guidance for situations where return or destruction may not be feasible if other laws require the BA to retain the information.
Other parts of the guidance, available here, cover storage of ePHI outside the United States, auditing of cloud service providers and other business associates, and maintaining only information that has been de-identified.