Clouds, With A Nearly 100% Chance of a Business Associate Agreement

Bryan Cave Leighton Paisner
Contact

HHS recently posted guidance on its website addressing HIPAA’s approach to cloud computing.  Basically, any time a cloud service provider has electronic protected health information (ePHI), it’s a business associate.  This is true even if the cloud provider only stores encrypted ePHI and even if the cloud provider does not have the encryption key (and therefore, in theory, could not access the data).  This means that both health plans and their business associates who use outsourced cloud computing services must have business associate agreements with those services.

At first blush, this might seem like it doesn’t directly touch the health plan, but cloud computing can take many forms. For example, if your company has an off-site data server that is managed by a third party and ePHI is stored on that server, a business associate agreement with that third party is probably necessary.  Even if all you do is use something like Google Docs, OneNote, Evernote, or Dropbox for storage, that could be considered cloud computing subject to these rules.  Therefore, the sweep is broad and employees working on health plan matters would be well advised to consult with the plan’s Security Officer and their IT departments about this guidance.  HHS’s position is that it is a HIPAA violation if ePHI is shared with a cloud provider and there’s no business associate agreement in place.

The HHS guidance provides some points to consider in contracting with cloud providers. Some of those points will likely be addressed in a general service agreement between the company and the provider.  In addition, this one page summary from Bryan Cave’s data privacy team has some additional general thoughts on issues to consider when contracting with cloud providers.

Next Steps

In response to this information, employees charged with health plan matters should consider the following steps:

  1. Evaluate with your IT department and HIPAA Security Officer whether you use any cloud service providers.
  2. Review the HHS guidance with the relevant IT personnel.
  3. Determine whether ePHI is created, received, maintained, or transmitted by the cloud service provider or if it is possible to avoid having ePHI handled by the cloud service provider.
  4. Determine whether a business associate agreement is in place with the cloud service provider (and if not, get one as soon as possible). In negotiating that agreement, consider what data protections you may need or want to include.
  5. Include an evaluation of the cloud service provider in your HIPAA risk assessment.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Bryan Cave Leighton Paisner | Attorney Advertising

Written by:

Bryan Cave Leighton Paisner
Contact
more
less

Bryan Cave Leighton Paisner on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.