On October 6, 2016, the Department of Health and Human Services Office for Civil Rights (OCR) released HIPAA guidance on cloud computing (Guidance). The Guidance is intended to help covered entities and business associates understand their HIPAA obligations in cloud computing arrangements, and clarify the HIPAA obligations of cloud service providers (CSPs). The Guidance notes in part that:

  • CSPs that create, receive, maintain or transmit electronic protected health information (ePHI) are classified as “business associates” under HIPAA. If a covered entity or business associate uses a CSP to perform any of these functions, it must enter into a business associate agreement with the CSP.  As a HIPAA business associate, the CSP must comply with all applicable HIPAA requirements.
  • A CSP that stores encrypted ePHI without a decryption key is considered a business associate under HIPAA. While encryption prevents against unauthorized viewing of ePHI, it does not address other HIPAA requirements applicable to the CSP as a business associate.
  • A covered entity or business associate that uses a CSP for ePHI without entering into a business associate agreement is in violation of HIPAA. The CSP, as a business associate, could also be directly liable.
  • CSPs may store ePHI on servers outside of the United States. Parties to the arrangement must enter into a business associate agreement and otherwise comply with HIPAA.  Government entities and third parties may place additional requirements on use of offshore contractors that may impact these arrangements.

Covered entities, business associates and CSPs would be well-advised to review the Guidance to ensure compliance with HIPAA.