Five Highlights from OCR Guidance On HIPAA Compliance In Cloud Computing

Michael Slipsky
Poyner Spruill LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Poyner Spruill LLP

The Department of Health and Human Services’ Office of Civil Rights (OCR) has issued guidelines for HIPAA-covered entities that utilize cloud computing in processing electronic protected health information (ePHI). The increased use of cloud computing when HHS is stepping up enforcement makes this particularly timing.

The document is lengthy, and is worth reading in its entirety. But five highlights that struck us are:

  • First, covered entities are permitted to use cloud computing to process ePHI. This permission is subject to the proviso that the covered entity enter a HIPAA-compliant business associate agreement (BAA) with the cloud services provider.
  • Second, the conduit exception to the HIPAA Rules does not apply to cloud services providers. Cloud computing providers store ePHI; the conduit exception is limited to entities with fleeting access to ePHI.
  • Third, OCR suggests that besides a BAA, a service level agreement (SLA) can define expectation benchmarks. These benchmarks can encompass HIPAA compliance issues. expectations including issues related to HIPAA compliance. HHS suggests these include system availability, reliability, data recovery (with a specific reference to ransomware), data return, and use, retention and disclosure limitations.
  • Fourth, OCR specifically notes that the cloud services provider has its own regulatory obligations. It is directly liable under the HIPAA rules for unauthorized access or disclosure of ePHI. These include access not authorized by contract, required by law, permitted by the Privacy Rule, or in breach of the Security Rule. This is a critical point for cloud providers. In our experience, one difficult issue in negotiating SLAs is allocating financial and legal responsibility for HIPAA compliance. OCR has made it clear that the cloud service provider has its own compliance obligations independent of the covered entity.
  • Finally, OCR states that health care providers may access mobile devices to access ePHI in the cloud. The only requirement is that the appropriate physical, administrative, and technical safeguards are in place to protect the confidentiality, integrity, and availability of ePHI on the mobile device and in the cloud, and appropriate BAAs are in place with any third party service providers for the device and/or the cloud that will have access to the e-PHI.

Overall, the OCR guidance continues to indicate regulatory flexibility in enforcement. On the plus side, this enables covered entities and business associates to exercise discretion in determining the appropriate level of safeguards for themselves. On the negative side, this flexibility comes at a cost: guidelines are recommended, but adherence offers no guarantees. In HIPAA enforcement, as in many others, in the words of Justice Oliver Wendell Holmes, Jr., “the life of the law has not been logic; it has been experience.”

 

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Poyner Spruill LLP | Attorney Advertising

Written by:

Poyner Spruill LLP
Poyner Spruill LLP
Contact
more
less

Poyner Spruill LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide