Cloud services providers subject to HIPAA when handling ePHI

Entities subject to Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) compliance may use cloud services to store and process electronic protected health information (ePHI). According to HHS’ health information privacy guidance, to do so, the covered entity or the entity’s business associate must enter into a HIPAA-compliant business associate agreement (BAA) or contract with the entity’s chosen cloud services provider (CSP).

CSP requirements

CSPs are legally separate entities from the covered entity, and offer online access to shared computing resources. Functions include data storage to software solutions, such as electronic medical record systems. When a HIPAA-covered entity retains a CSP’s services to handle ePHI, that CSP becomes a business associate under HIPAA, even if the CSP is a subcontractor under another business associate. Even if the ePHI processed or stored by the CSP is encrypted and the CSP does not have an encryption key, the CSP is subject to HIPAA rules.

Business associate agreement

A BAA establishes the permitted and required uses and disclosures of ePHI for the CSP, and is a requirement under HIPAA. A covered entity must have clear understanding of the services provided by the CSP to ensure that a risk analysis can be conducted and the appropriate provisions are included in the BAA. More specific business expectations may be included in a service level agreement (SLA), and the SLA’s provisions should be consistent with HIPAA and the BAA.

The BAA can also establish the way the CSP is to report security incidents to the covered entity. The Security Rule (45 C.F.R. Part 160, 164) requires that business associates identify and respond to security incidents, mitigate the effects, document incidents, and report the incidents. The BAA must require such reporting, but the rule is flexible and allows the parties to determine the frequency, level of detail, and format of reports.