HHS recently posted guidance on its website addressing HIPAA’s approach to cloud computing. Basically, any time a cloud service provider has electronic protected health information (ePHI), it’s a business associate. This is true even if the cloud provider only stores encrypted ePHI and even if the cloud provider does not have the encryption key (and therefore, in theory, could not access the data). This means that both health plans and their business associates who use outsourced cloud computing services must have business associate agreements with those services.
At first blush, this might seem like it doesn’t directly touch the health plan, but cloud computing can take many forms. For example, if your company has an off-site data server that is managed by a third party and ePHI is stored on that server, a business associate agreement with that third party is probably necessary. Even if all you do is use something like Google Docs, OneNote, Evernote, or Dropbox for storage, that could be considered cloud computing subject to these rules. Therefore, the sweep is broad and employees working on health plan matters would be well advised to consult with the plan’s Security Officer and their IT departments about this guidance. HHS’s position is that it is a HIPAA violation if ePHI is shared with a cloud provider and there’s no business associate agreement in place.
The HHS guidance provides some points to consider in contracting with cloud providers. Some of those points will likely be addressed in a general service agreement between the company and the provider. In addition, this one page summary from Bryan Cave’s data privacy team has some additional general thoughts on issues to consider when contracting with cloud providers.
In response to this information, employees charged with health plan matters should consider the following steps:
Evaluate with your IT department and HIPAA Security Officer whether you use any cloud service providers.
Review the HHS guidance with the relevant IT personnel.
Determine whether ePHI is created, received, maintained, or transmitted by the cloud service provider or if it is possible to avoid having ePHI handled by the cloud service provider.
Determine whether a business associate agreement is in place with the cloud service provider (and if not, get one as soon as possible). In negotiating that agreement, consider what data protections you may need or want to include.
Include an evaluation of the cloud service provider in your HIPAA risk assessment.