The Department of Health and Human Services (HHS) recently published guidance on HIPAA requirements governing the use of cloud computing entities, specifically cloud services providers (CSPs).

In this guidance, HHS explains that CSPs that create, receive, maintain, or transmit protected health information (PHI) on behalf of a covered entity or business associate are considered business associates under HIPAA, and are therefore subject to HIPAA’s requirements.  HHS expressly rejects the idea that CSPs are analogous to “conduits” (such as internet service providers) that provide transmission-only services.  Rather, HHS explains that CSPs store and maintain PHI and thus have ongoing and routine access.

This guidance will be instructive to manufacturers of medical devices that connect to and store data on the cloud.

“No-View Services” included

CSPs that store PHI are business associates, even if they store only encrypted PHI and lack an encryption key for the data (referred to in the guidance as “no-view services”).  In other words, the same HIPAA analysis applies even if the CSP cannot actually view the PHI stored on its servers.  HHS explains that while encryption significantly reduces the risk of the PHI being viewed by unauthorized persons, encryption alone does not adequately safeguard the confidentiality, integrity, and availability of PHI as required by the HIPAA Security Rule.  For example, a CSP offering “no-view services” to a covered entity or business associate must implement administrative safeguards to analyze risks to the PHI as well as physical safeguards for systems and servers that may house PHI.

However, HHS recognizes that, for “no-view service” arrangements, the Security Rule obligations of both parties may be satisfied by just one party.  For example, if the covered entity or business associate customer controls who can view PHI, then other requirements of the Security Rule, such as authentication and access monitoring, become the responsibility of the customer alone and not the CSP.  HHS notes that “a CSP is not responsible for the compliance failures that are attributable solely to the actions or inactions of the customer, as determined by the facts and circumstances of the particular case.”  However, CSPs are still responsible for other aspects of the Security Rule, such as ensuring administrative measures to manage information systems and disaster recovery/contingency plans.

“No-view services” CSPs likewise must comply with the Privacy Rule, including ensuring that the covered entity can meet its obligation to provide access, amendments, and accountings of disclosures.  CSPs must also comply with the breach notification rule by informing their covered entity or business associate customers of breaches of unsecured PHI.

Business Associate Agreements Required

HHS emphasizes that a business associate agreement (BAA) is required when a covered entity or business associate uses a CSP to maintain PHI.  Entities that fail to have a BAA in place are in violation of the HIPAA Privacy Rule.

Mobile Devices and the Cloud

HHS confirms that covered entities and business associates may use mobile devices to access PHI stored in the cloud, as long as appropriate safeguards are in place in accordance with the HIPAA Security Rule.  HHS links to guidance issued by the Office for Civil Rights (OCR) and the Office of the National Coordinator for Health Information Technology (ONC) on securing PHI on mobile devices.

PHI Outside the U.S.

HHS clarifies that HIPAA permits a covered entity or business associate to use a CSP that stores PHI on servers outside the U.S.  However, HHS cautions that the covered entity or business associate should assess the risk to such PHI, in particular if it is stored in a country where there are documented attempts at hacking or other malware attacks.