OCR Releases HIPAA Guidance for Cloud Services

The Office for Civil Rights (OCR) released much-needed cloud computing guidance for covered entities (CE), business associates (BA), and vendors on October 7.

Cloud computing service use has grown rapidly in recent years and cloud storage may be part of other services, such as electronic health records, that a CE uses. But in the absence of clear guidance from OCR, some CEs and BAs weren’t sure how—or if—HIPAA applied to cloud service providers. And many cloud service providers were not familiar with HIPAA and unable to determine what regulations they are required to follow or whether they could be considered BAs or BA subcontractors.

OCR's guidance aims to clear up common questions and misconceptions. Most importantly, OCR states that cloud service providers that store, transmit, or otherwise handle electronic protected health information (ePHI) are BAs if they are contracted directly with a CE and BA subcontractors if they work with a BA. In either case, the cloud service provider must sign a BA agreement (BAA) and abide by the applicable sections of the Security and Breach Notification rules. Sometimes, a CE or BA may encrypt ePHI before transmitting it to a cloud service provider and not allow the cloud service provider access to the encryption key. But even in this case, the cloud service provider is still acting as a BA or BA subcontractor and a BAA is required.

The guidance contains a list of FAQs and references to HIPAA, National Institute of Standards and Technology cloud computing guidance, and OCR guidance on related topics such as breach notification.