Protected Health Information Migrates to the Cloud

By Thomas Johnson

Health care facilities, health plans, and business associates are increasingly turning to cloud service providers to store, maintain, and, at times, wholly manage, the company’s electronic protected health information (ePHI).  As covered entities and business associates migrate their data to the cloud, these entities need to take a closer look at their obligations under HIPAA’s Privacy Rule and the Security Rule.  

When a covered entity or business associate contracts with a cloud service provider, the cloud service provider, generally, is a business associate of the hiring party.  As a threshold matter, the covered entity or business associate needs to enter into a business associate agreement with the cloud service provider that complies with the Privacy and Security Rule.  This agreement, often used alongside or as an attachment to a larger, service-level agreement, establishes the permitted and required uses and disclosures of ePHI by the cloud service provider.

Generally, when engaging a cloud service provider to receive or transmit ePHI, the cloud service provider’s experience and knowledgeability of HIPAA’s requirements will become immediately apparent at the time of initial contracting.  Just as a covered entity is obligated to identify, among other things, its risk management processes and procedures in a HIPAA risk analysis, so to must the cloud service provider.  Both parties must identify and assess potential threats to the confidentiality, integrity, and availability of all ePHI they create, transmit, and store.  It is not unreasonable for a covered entity to request access to or disclosure of a cloud service provider’s data security protocols.  

The level of services provided by a cloud service provider will vary based upon the covered entity or business associate’s needs and complexity.  A cloud service provider that provides “storage only” services is functionally different from a cloud service provider that has full access to the ePHI that it maintains.  Nonetheless, the cloud service provider is obligated to comply with the Security Rule and for implementing reasonable and appropriate controls to safeguard the ePHI in its systems.  The contractual relationship between the covered entity or business associate and the cloud service provider will provide for the respective obligations of each party for complying with the Security Rule.  Compliance with and enforcement of these contractual obligations will be viewed by the Office of Civil Rights as an important factor during any compliance investigation of either the covered entity or the cloud service provider.

In all, covered entities and business associates who utilize cloud computing services need to be aware of the implications of transmitting or maintaining their ePHI on the cloud.  HIPAA compliant business associate agreements and comprehensive service-level agreements should be implemented to ensure that the confidentiality, integrity, and availability of ePHI is maintained.

Tommy Johnson is a health care attorney specializing in health information technology and data privacy at the Boyce Law Firm in Sioux Falls, South Dakota.