Menu Close

OCR Guidance Confirms That Cloud Vendors Are Business Associates

Posted in Electronic Health Records, HIPAA and the HITECH Act, Hospitals and Institutions, Legislation and Public Policy, Privacy and Data Protection

The Department of Health and Human Services Office for Civil Rights (OCR) recently released a document entitled “Guidance on HIPAA & Cloud Computing” which puts to rest any questions on whether cloud service providers are business associates (BAs) under HIPAA.

The October 6 guidance confirms that a cloud service provider becomes a BA whenever it receives or stores electronic protected health information (ePHI) from a covered entity or BA – even if it handles only encrypted ePHI and does not hold the key to decrypt the data. Therefore, covered entities and BAs are required to enter into HIPAA-compliant business associate agreements with cloud providers, who are directly liable for compliance with applicable HIPAA requirements.

OCR stressed the importance of a covered entity or BA understanding a cloud provider’s computing environment in order to be able to appropriately conduct its own risk analysis and establish any management policies that may be required. It remains to be seen how open cloud service providers will be to providing the necessary information to conduct such a risk assessment.

Leave a Reply

Your email address will not be published. Required fields are marked *