HHS on the Cloud and HIPAA
This week Relativity announced that it is now HIPAA compliant. The Department of Health and Human Services is responsible for enforcing the standards of the Healthcare Insurance Portability and Accountability Act. On its web site, HHS provides guidance how the providers of cloud computing services can make sure that protected health information (PHI) it hosts is secure.
The HHS confirms that PHI can be stored in a cloud service but requires that a HIPAA compliant contract be entered into. A service level agreement is needed to address back-up data policies; data retention; and system availability. A cloud service provider that hosts PHI without an executed 'business associate agreement' is in violation of the HIPAA rules.
Even if a cloud service provider hosts encrypted PHI for which it does not have a decryption key, it is still responsible for complying with HIPAA regulations.
A CSP will not be considered as a conduit, like the post office, for the purposes of HIPAA compliance.
The HHS does not certify cloud service providers.
The HIPAA Security Rule with respect to security incidents does not require that reports include specific detail or be made with a particular frequency.
Healthcare providers can use mobile devices to access PHI stored in the cloud.
Upon the termination of a business associate agreement, PHI must be returned or destroyed. If this is not possible security protections must be extended.
PHI can be stored on servers outside of the United States.
HIPAA does not require CSPs to allow customers to audit their security practices.
HIPAA privacy and security rules do not apply to de-identified data.