The Health and Human Services Office for Civil Rights (OCR) recently issued guidance regarding the importance of covered entities and cloud service vendors maintaining business associate agreements (BAAs) where electronic personal health information (ePHI) is stored on cloud computing systems.
OCR stressed the importance of the following points that covered entities should be mindful of when engaging with cloud service vendors:
-
Covered entities lacking BAAs with their cloud service vendors are in violation of the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy and Security Rules;
-
BAAs should set forth the permitted uses of the ePHI;
-
Cloud service vendors meet the definition of a business associate when they create, receive or maintain ePHI even if the data they maintain is encrypted and the vendor does not have the decryption key;
-
Cloud service vendors that hold de-identified information do not meet the definition of a BAA and are not restricted under HIPAA from using or disclosing de-identified information; and
-
Cloud service vendors acting as business associates must report any data breaches to the covered entity.
OCR’s guidance is available here.