Does your healthcare practice use the services of a cloud service provider (CSP)? Well, you aren't alone. More and more doctors, dentists, chiropractors and other covered entities are using CSPs to store and facilitate their data. After all, it's easier and more convenient to access data stored on the cloud as opposed to data stored locally. But when using a CSP, covered entities must follow some basic steps to ensure full compliance with the Health Insurance Portability and Accountability Act (HIPAA) of 1996.
It's important to note that not all CSPs are compliant with HIPAA. When using a CSP, covered entities are typically required to create a Business Associate Agreement (BAA) that details the way in which the CSP will access the covered entity's Protected Health Information (PHI). If the CSP fails to follow through with the BAA, using their services could be a violation of HIPAA, assuming the CSP has access to PHI.
So, which CSPs offer HIPAA-compliant services? A simple Google search can reveal several HIPAA-compliant CSPs. The Department of Health and Human Services (HHS), however, does not endorse or recommend specific technology or products, and that includes CSPs. It's up to the covered entity to perform their own research when selecting a CSP, ensuring it's compliant with HIPAA and its respective rules.
Keep in mind that both the covered entity and CSP must implement safeguards when storing ePHI. Under the Security Rule, this includes physical safeguards, technical safeguards and administrative safeguards. If only the covered entity implements these safeguards, the CSP is not HIPAA-compliant; thus, another CSP should be chosen.
Some covered entities assumed that CSPs who only encrypt ePHI but do not have a decrpt key aren't a business associate. The HHS explains on its website, however, that this is not the case. Whenever a CSP “receives and maintains” ePHI for a covered entity or another business associate, that CSP is considered a business associate. Regardless of whether or not the CSP has the decrypt key, it's still considered a business associate if it handles ePHI on behalf of the covered entity. As such, the covered entity must use a BAA when hiring the services of a CSP.
The bottom line is that it's perfectly fine for a covered entity to use a CSP. However, CSPs should be selected based on their security, strength and overall compliance with HIPAA.