The Division of Health and Human Services has issued revised advice on cloud computing and HIPAA to assist protected bodies to take benefit of the cloud devoid of endangering a HIPAA breach. The key emphasis of the help is the usage of cloud service providers (CSPs).
CSPs which are lawfully independent bodies from a HIPAA-covered body are categorized as business associates as per HIPAA rules if the cloud service provider has to create, get, keep, or convey ePHI. A cloud service provider is also categorized as a BA when a business associate of a protected body delegates services to the cloud service provider that involve generating, getting, keeping, or transferring ePHI.
It’s vital to notice that even if a HIPAA protected body, BA or subcontractor of a BA provides ePHI to a cloud service provider in encrypted shape, the CSP is still categorized as a BA as per HIPAA Laws, even when a mechanism to decrypt the data isn’t provided.
A CSP won’t be categorized as a BA and would thus not be needed to conform to HIPAA Laws if de-identified ePHI is provided, supplied files have been de-identified according to the HIPAA Secrecy Law.
As per the HIPAA Safety Law, BAs are needed to apply safety measures to safeguard the secrecy, availability, and integrity of ePHI. Restrictions are additionally placed on the disclosure and use of ePHI. According to the HIPAA Break Notice Law, a CLA is needed to inform the protected body or its BA of a break of ePHI.
Before the services of a CSP hired it’s necessary for both sides to sign a HIPAA-compliant business associate agreement. The cloud service provider is contractually responsible to follow the conditions of the business associate agreement and is directly responsible for guaranteeing conformity with HIPAA Laws. Should HIPAA Laws be broken by the CSP, Office for Civil Rights is empowered to impose penalties for non-compliance. Penalties can rise to $1.5 million for each HIPAA violation type.
The significance of entering into a HIPAA-conforming BAA with a cloud service provider was emphasized in July this year. Office for Civil Rights agreed to resolve with Oregon Health & Science University, Portland for $2.7 million following an inquiry discovered that ePHI had been collected on a Google-cloud created platform without first getting a HIPAA-compliance BAA.
The Office for Civil Rights proposes that besides a BAA, a service level agreement (SLA) may be used to deal with particular hopes including problems connected to HIPAA conformity. The SLA may contain provisions to deal with the CLA’s duties with regard to data backup, security, and recovery, the return of files after the end of an agreement, data custody, data usage, revelation restrictions, as well as system availability and dependability. Nevertheless, the SLA must be in accordance with the HIPAA and BAA Laws. Protected bodies must note that a SLA doesn’t constitute a BAA.
The help on HIPAA as well as cloud computing was revised after the receipt of many questions from protected bodies and business associates showing there was substantial misunderstanding concerning cloud computing services and HIPAA.
OCR informs that protected bodies must not seek help on particular products, technology, or cloud services. OCR doesn’t approve, recommend or certify any technology, cloud service, or product.
Several frequently asked questions have been replied in the guidance on cloud computing and HIPAA which can be viewed on this link.