Cloud service providers are classified as business associates based on the HIPAA Omnibus Rule, which states “A data storage company that has access to protected health information (whether digital or hard copy) qualifies as a business associate, even if the entity does not view the information or only does so on a random or infrequent basis.”
Cloud service providers are not covered under the HIPAA conduit exception rule. Companies that are classified as conduits offer transmission of data only or communication that is transient in nature. Despite the fact that cloud service providers encrypts all data and do not have the encryption keys, they are still not considered as conduits. As such, cloud platforms need to sign a business associate agreement before ePHI can be stored, processed or transmitted using their services. If de-identified PHI are to be shared or stored using the cloud service, a BAA is not necessary. De-identified PHI are stripped of all personal identifiers and are, therefore, not PHI.
To make cloud computing and HIPAA compliance work together without a hitch, there are things that need to be done before healthcare organizations can use cloud services for managing ePHI.
1. Do a risk analysis. Both HIPAA covered entities and cloud services should have risk management policies in place.
2. Have a Business Associate Agreement (BAA). This is a must before using any cloud service or platform for ePHI storage, sharing and processing. Without this, both covered entity and service provider violate the HIPAA rules.
3. Consider having a Service Level Agreement (SLA). A SLA covers the technical aspects of the service like system uptime, data backups, customer service response time, reliability and data deletion when the agreement is terminated. Penalties on below standard performance may also be included in the SLA.
4. The CSP must employ end-to-end encryption. This means that all stored and transmitted data are encrypted. Encryption is important but does not necessarily guarantee the integrity of ePHI.
5. Configure access controls carefully. Covered entities must make sure that settings allow only authorized persons to access the ePHI in the cloud.
6. Assess the risk associated with the cloud service location. Data may be stored in multiple locations to allow fast cloud access and data recovery in case of any problem. But, consider that data protection laws may not be the same in the U.S. and in foreign countries.
7. Audit access logs regularly. Healthcare organizations should monitor the people accessing the cloud data or when there are failed attempts at accessing ePHI to check any suspicious activities.