The Department of Health and Human Services Office for Civil
Rights (OCR) recently released a document entitled "Guidance on HIPAA & Cloud Computing"
which puts to rest any questions on whether cloud service providers
are business associates (BAs) under HIPAA.
The October 6 guidance confirms that a cloud service provider
becomes a BA whenever it receives or stores electronic protected
health information (ePHI) from a covered entity or BA - even if it
handles only encrypted ePHI and does not hold the key to decrypt
the data. Therefore, covered entities and BAs are required to enter
into HIPAA-compliant business associate agreements with cloud
providers, who are directly liable for compliance with applicable
HIPAA requirements.
OCR stressed the importance of a covered entity or BA understanding
a cloud provider's computing environment in order to be able to
appropriately conduct its own risk analysis and establish any
management policies that may be required. It remains to be seen how
open cloud service providers will be to providing the necessary
information to conduct such a risk assessment.
For more articles and the latest in labor, employment, benefits and executive compensation law for employers, please subscribe to Day Pitney's mailing lists.
Click here for more Employer's Law blogs from Day Pitney
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.