Health care facilities, health plans, and business associates are increasingly turning to cloud service providers to store, maintain, and, at times, wholly manage, the covered entity or business associate’s electronic protected health information (ePHI).  As covered entities and business associates migrate their data to the cloud, these entities need to take a closer look at their obligations under the Privacy Rule and the Security Rule.

When a covered entity or business associate contracts with a cloud service provider, the cloud service provider is a business associate of the hiring party.  As a threshold matter, the covered entity or business associate needs to enter into a HIPAA-compliant business associate agreement with the cloud service provider.  This agreement, often used alongside or as an attachment to a larger, service-level agreement, establishes the permitted and required uses and disclosures of ePHI by the cloud service provider.

While HIPAA’s Security Rule allows a covered entity or business associate to utilize a cloud service provider to store and process ePHI, it is imperative that both parties are familiar with the cloud computing environment and the implications for the security of ePHI.  Generally, when engaging a cloud service provider to receive or transmit ePHI, the cloud service provider’s experience and knowledgeability of HIPAA’s requirements will become immediately apparent at the time of initial negotiations.  Just as a covered entity is obligated to identify, among other things, its risk management protocols in a HIPAA risk analysis, so to must the cloud service provider.  Both parties must identify and assess potential threats to the confidentiality, integrity, and availability of all ePHI they create, transmit, and store.  It is reasonable for a covered entity or business associate to request access to or disclosure of a cloud service provider’s data security protocols.

The level of services provided by a cloud service provider will vary based upon the covered entity or business associate’s needs and complexity.  A cloud service provider that provides only “no view” storage services is functionally different from a cloud service provider that has full access to the ePHI that it maintains.  Nonetheless, the cloud service provider is obligated to comply with the Security Rule and for implementing reasonable and appropriate controls to safeguard the ePHI in its systems.  The contractual relationship between the covered entity or business associate and the cloud service provider will provide for the respective obligations of each party for complying with the Security Rule.  Compliance with and enforcement of contractual obligations will be viewed by the Office of Civil Rights as an important factor during any compliance investigation of either the covered entity or the cloud service provider.  Note that a cloud service provider has direct liability under HIPAA if it causes a use or disclosure of ePHI that is not permitted by the Privacy Rule.

In all, covered entities and business associate who utilize cloud computing services need to be aware of the implications of transmitting or maintaining their ePHI on the cloud.  HIPAA compliant business associate agreements and comprehensive service level agreement should be implemented to ensure that the confidentiality, integrity, and availability of ePHI is maintained.