HHS clarifies cloud providers as business associates under new guidance

Cloud service providers become business associates (BAs) subject to HIPAA whenever a covered entity or its BA handles electronic protected health information (ePHI), according to new guidance from the Department of Health and Human Services Office for Civil Rights.

Whether a contractor to a covered entity or subcontractor to a business associate, this status applies even if a cloud provider handles only encrypted ePHI and does not hold the key to decrypt the data, OCR says.

That means covered entities and business associates are required to enter into HIPAA-compliant business associate agreements with cloud providers. The guidance calls cloud providers contractually liable for meeting the agreement’s terms, and directly liable for compliance with applicable HIPAA requirements.

A covered entity or business associate must understand a cloud provider’s computing environment to be able to appropriately conduct its own risk analysis and establish risk management policies, OCR says. In addition, service-level agreements (SLAs), which cover factors such as availability, reliability and system backup, might have aspects subject to HIPAA, too.

When a cloud provider offers only no-view services of encrypted data for a customer, however, certain Security Rule requirements for multiple parties might be satisfied by the actions of only one of them. For instance, if the covered entity implements appropriate access controls, the cloud provider is not required to add more.

All parties, however, must have in the written agreement how Security Rule requirements will be handled, and by whom.