As you may be aware, the U.S. Department of Health & Human Services developed and implemented the HIPAA (Health Information Portability and Accountability Act) to establish protections regarding protected health information (PHI). The HIPAA Rules (which include Privacy, Security, and Breach Notification Rules) have been updated to include the use of cloud computing through cloud service providers (CSPs) and HIPAA covered entities.
When a covered entity employs a CSP, the CSP is considered a business associate of the covered entity under the HIPAA Rules. A CSP is also considered to be a business associate even when the CSP handles encrypted electronic protected health information (ePHI) and does not have a decryption key. In addition, a business associate of a covered entity is required to identify and respond to any and all security incidents (as defined by the attempt or successful unauthorized access, use, disclosure, modification, or destruction of ePHI) and notify the covered entity pursuant to the HIPAA Rules.
A covered entity may use the services of a CSP and must enter into a business associate agreement (BAA) that complies with the HIPAA Rules. Prior to entering into a BAA, both parties must perform a risk analysis to determine potential threats regarding the handling and processing of ePHI. The CSP is also accountable for implementing and utilizing additional controls to limit risks under the HIPAA Rules. If a covered entity utilizes the services of a CSP to process ePHI and does not enter into a business associate agreement, both parties are in violation of the HIPAA Rules.
Another area the HIPAA Rules cover is the use of mobile devices to access ePHI by healthcare providers through a CSP. Healthcare providers may use such devices once the appropriate BAA has been entered into between the corresponding parties (covered entity, third-party service providers for the mobile device[s] and cloud access) and all HIPAA requirements have been met. In addition, the HIPAA Rules allow a covered entity to utilize a CSP wherein ePHI is stored on servers outside of the United States, provided such covered entity enters into the appropriate BAA and all HIPAA requirements have been met.
For more information, please contact Cathrine Hunter at (239) 649-6555 or visit www.wpl-legal.com.