HIPAA and Cloud Computing: Your Compliance Questions, Answered

HIPAA and Cloud Computing: Your Businesses Compliance Questions, Answered.

These days, for healthcare providers and those trusted with a patient’s personal information, it’s all about keeping up with compliance. Recently released were updated guidelines on what it takes for Cloud Service Providers (CSPs) to make the HIPAA compliance cut, and what healthcare agencies should be critical of when leveraging offerings from CSPs. Numerous laws and regulations pertain to the storage and use of data, including that of cloud computing. In the US, these include privacy or data protection laws, including the Health Insurance Portability and Accountability Act (HIPAA).

“With the proliferation and widespread adoption of cloud computing solutions, HIPAA covered entities and business associates are questioning whether and how they can take advantage of cloud computing while complying with regulations protecting the privacy and security of electronic protected health information (ePHI).”

The US Department of Health and Services details several key questions and answers to assist HIPAA regulated CSPs and their customers in understanding their responsibilities under the HIPAA Rules when they create, receive, maintain or transmit ePHI using cloud products and services. Here are 5 of the top considerations from the Department of Health and Services to keep in mind before you head to market.


May a HIPAA covered entity or business associate use a cloud service to store or process ePHI?

Yes, provided the covered entity or business associate enters into a HIPAA-compliant business associate contract or agreement (BAA) with the CSP that will be creating, receiving, maintaining, or transmitting electronic protected health information (ePHI) on its behalf, and otherwise complies with the HIPAA Rules.

A covered entity (or business associate) that engages a CSP should understand the cloud computing environment or solution offered by a particular CSP so that the covered entity (or business associate) can appropriately conduct its own risk analysis and establish risk management policies.

Use a Service Level Agreement (SLA) to address more specific business expectations

SLAs can include provisions that address such HIPAA concerns as, System availability and reliability, back-up and data recovery (e.g., as necessary to be able to respond to a ransomware attack or other emergency situation), manner in which data will be returned to the customer after service use termination, security responsibility; and use, retention and disclosure limitations.

Security Considerations

All CSPs that are business associates must comply with the applicable standards and implementation specifications of the Security Rule with respect to ePHI.  However, in cases where a CSP is providing only no-view services to a covered entity (or business associate) customer, certain Security Rule requirements that apply to the ePHI maintained by the CSP may be satisfied for both parties through the actions of one of the parties.  In particular, where only the customer controls who is able to view the ePHI maintained by the CSP, certain access controls, such as authentication or unique user identification, may be the responsibility of the customer, while others, such as encryption, may be the responsibility of the CSP business associate.

However, as a business associate, the CSP is still responsible under the Security Rule for implementing other reasonable and appropriate controls to limit access to information systems that maintain customer ePHI.

Privacy Considerations

A business associate may only use and disclose PHI as permitted by its BAA and the Privacy Rule, or as otherwise required by law.  While a CSP that provides only no-view services to a covered entity or business associate customer may not control who views the ePHI, the CSP still must ensure that it itself only uses and discloses the encrypted information as permitted by its BAA and the Privacy Rule, or as otherwise required by law.

Breach Notification Rule Considerations

A business associate is responsible for notifying the covered entity (or the business associate with which it has contracted) of breaches of unsecured PHI. Unsecured PHI is PHI that has not been destroyed or is not encrypted at the levels specified in HHS’ Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals. However, if the ePHI is encrypted, but not at a level that meets the HIPAA standards or the decryption key was also breached, then the incident must be reported to its customer as a breach, unless one of the exceptions to the definition of “breach” applies.

Lastly, although the HIPAA Requirements do not enforce the following, it’s a good idea to do business with a cloud service provider that adheres to the following practices and policies.

Is the client infrastructure auditable?

One of the most critical requirements for a HIPAA compliant hosting provider is the ability to facilitate an auditor’s risk assessment of the environment that houses ePHI.

Do they provide FIPS 140-2 Encryption for data in transit?

Oddly enough, the HIPAA rules state that the use of encryption is not mandatory. To protect your data, make sure ePHI is encrypted in any possible location.

Which CSP’s offer HIPAA compliance?

Download our Free Cloud Computing Platform Buyer’s Guide for a closer look at product key features and capabilities.