Q&A: Breach notification requirements for cloud services

Q: Can a cloud provider like Amazon Web Services or Microsoft Azure, when considered a business associate (BA), be held liable for breach notification requirements?

A: Yes. While, per HIPAA, there is no private right of action, BAs such as cloud providers are required to adhere to the HIPAA Breach Notification Rule, specifically 45 CFR § 164.410. BAs are required to notify their CE customers in the event of a breach of unsecured PHI. BAs are not required to notify OCR or individuals, but they are mandated to notify CE customers.

Editor’s note: Apgar is president of Apgar & Associates LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS.