All Data Fast News is © Data Fast Solutions, unless where otherwise indicated • All Rights Reserved

Data Fast News


Keep up to date with Data Fast Solutions for your business.

Updated Guidance on HIPAA and Cloud Computing

Cloud ComputingIn a prior article, in August of this year, the conveniences of cloud computing in healthcare, as well as the security risks of using the cloud were highlighted. Recently, Health and Human Services (HHS) updated their guidelines on cloud computing in relation to HIPAA to comply with regulations to protect the privacy of and keep electronic protected health information (ePHI) secure. These new guidelines include cloud service providers (CSPs) and their role in HIPAA compliance.

Specifically, the guidelines state:

“When a covered entity engages the services of a CSP to create, receive, maintain, or transmit ePHI (such as to process and/or store ePHI), on its behalf, the CSP is a business associate under HIPAA.  Further, when a business associate subcontracts with a CSP to create, receive, maintain, or transmit ePHI on its behalf, the CSP subcontractor itself is a business associate.  This is true even if the CSP processes or stores only encrypted ePHI and lacks an encryption key for the data.  Lacking an encryption key does not exempt a CSP from business associate status and obligations under the HIPAA Rules.   As a result, the covered entity (or business associate) and the CSP must enter into a HIPAA-compliant business associate agreement (BAA), and the CSP is both contractually liable for meeting the terms of the BAA and directly liable for compliance with the applicable requirements of the HIPAA Rules.”

viewing cloud filesThe HHS guidelines go on to answer questions such as:

If a CSP stores only encrypted ePHI and does not have a decryption key, is it a HIPAA business associate?”

“Do the HIPAA Rules allow health care providers to use mobile devices to access ePHI in a cloud?”

“Can a CSP be considered to be a “conduit” like the postal service, and, therefore, not a business associate that must comply with the HIPAA Rules?”

Answers to these, and other questions, can be found on the website as:

As a result of changing guidelines, it’s important that current Service Level Agreements (SLAs) between a CSP and their customer be updated to make sure that the SLA is consistent with updated HIPAA rules.

Just as cloud computing allows easier collaboration between healthcare professionals, it’s also important to collaborate with a good I.T. company like Data-Fast Solutions who is well-versed in HIPAA compliance. This will ensure updated HHS HIPAA guidelines are continually being met.

This article is ©2016 Data Fast Solutions • All Rights Reserved

Comments are closed.