With more and more Covered Entities and Business Associates using Cloud Service Providers, the Department of Health and Human Services (HHS) issued guidance last week addressing issues surrounding the privacy and security of electronic protected health information (ePHI) in the cloud.
Cloud computing is simply the storage and accessing of data and/or programs over the internet instead of from your computer’s hard drive. You probably use cloud computing every day, whether you realize it or not. If you have an iPhone, Facebook page, Gmail or Netflix account, you’re in the cloud.
Healthcare organizations also use cloud computing. Many Electronic Health Record (EHR) applications are cloud-based, being hosted on servers maintained offsite by the software vendor and accessed via a web-based interface. Encrypted email applications usually operate in the same manner. Cloud-based data backup solutions are also increasing in popularity.
But how secure is cloud computing? There are issues to consider both with the transmission of data to and from the cloud (data in motion), and with the secure storage of data as it resides in the cloud (data at rest). The guidance posted by HHS last week seeks to address some of the issues surrounding the use of cloud computing and Cloud Service Providers at a high level. Presented in question and answer format, the guidance covers such topics as:
- The general use of cloud storage with ePHI
- The use of encryption and its impact on Cloud Service Providers’ obligations under HIPAA
- Cloud Service Providers and Business Associate Agreements
- Privacy and Security Rule considerations with Cloud Service Providers
- Whether or not the Business Associate “conduit exception” applies to Cloud Service Providers
- The use of mobile devices to access the cloud
- Cloud Service Providers with servers outside the United States
Cloud Service Providers ARE Business Associates
Undeniably the key take away from this guidance is that Cloud Service Providers are Business Associates, even if they receive and store encrypted ePHI and do not have a decryption key to view the data. They are not exempt under the conduit exception, unless they provide solely ePHI transmission services with only temporary storage of that ePHI during transmission. The only other exception is if they handle data that has been de-identified according to HIPAA de-identification standards.
In addition to this general guidance, Covered Entities and Business Associates are encouraged to consult the National Institute of Standards and Technology (NIST), Special Publication 800-146, Cloud Computing Synopsis and Recommendations for detailed information about cloud computing and Cloud Service Providers.