HIPAA and Cloud Provider Refresher

HIPAA and Cloud Provider Refresher

As far as regulators are concerned, the cloud has been a relatively recent occurrence. However, they’ve done a pretty good job in dealing with this ‘new’ computing model.  Take HIPAA.

We wrote that if a cloud service processes or stores protected health information (PHI), it’s considered in HIPAA-ese, a business associate or BA. As you may recall, the Final Omnibus Rule  from 2013 says that BAs fall under HIPAA’ s rules.

A covered entity — health provider or insurer —also must have a contract in place that says the cloud service provider or CSP will comply with key HIPAA safeguards –technical, physical, and administrative. The Department of Health and Human Services (HHS), the agency in charge of enforcing HIPAA, has conveniently provided a sample contract.

The relationship between a covered entity and CSP can be a confusing topic for security and compliance pros. So the HHS folks kindly put together this wonderful FAQ on the topic.

You should read it!

And please note that CSPs are under a breach notification requirement, though, the exact details of reporting back to the covered entity would have to be worked out in the contract.

One key point to keep in mind is that the reason behind having a BA contract is to make sure that the CSP knows they’re being asked to process PHI.

And if a somewhat careless or unscrupulous hospital doesn’t make the CSP sign such a contract, it still doesn’t matter!

HIPAA rules say the BA can’t plead ignorance of the law (except in very special cases.)  In this situation, the hospital would get fined for this lapse of not having offering a contract, and the CSP would still be held responsible for PHI security.

The higher goal is preventing a covered entity from outsourcing compliance responsibility to an indifferent third-party, and avoiding an ensuing legal finger-pointing exercise when there’s a security violation.

CSPs have done a good job of keeping up with changing data secure regulations, and they’re very aware of the HIPAA rules. For example, Amazon knows about the BA contracts as does Google and many other cloud players.

Trying to learn a new language can be difficult! Become fluent in HIPAA with our free five-part email  HIPAA class