The Department of Health and Human Services (HHS) recently published guidance on HIPAA requirements governing the use of cloud computing entities, specifically cloud services providers (CSPs).
In this guidance, HHS explains that CSPs that create, receive, maintain, or transmit protected health information (PHI) on behalf of a covered entity or business associate are considered business associates under HIPAA, and are therefore subject to HIPAA’s requirements. HHS expressly rejects the idea that CSPs are analogous to “conduits” (such as internet service providers) that provide transmission-only services. Rather, HHS explains that CSPs store and maintain PHI and thus have ongoing and routine access.
This guidance will be instructive to manufacturers of medical devices that connect to and store data on the cloud.