Covered entities that utilize cloud computing, storage or other cloud-based technology should pay close attention to the nuances of the Health Insurance Portability and Accountability Act (HIPAA). Some doctors and practitioners assume HIPAA does not cover the cloud, so they turn a blind eye to compliance. In doing so, however, their patients' information is placed at risk for disclosure, which could turn result in fines and other penalties handed down by the Health and Human Services (HHS).
What Is Cloud Computing?
The Global Language Monitor (GLM) – the organization responsible for selecting the Word of The Year – named “cloud computing” one of the most popular and influential phrases of 2009. Since then, the use of cloud technology has grown exponentially, with major companies like Apple, IBM, Google, Amazon and Apple offering cloud-based services.
Cloud computing refers to a network of remote servers and datacenters that allow for centralized storage and computer processing. Rather than storing information on local computers, for instance, doctors and healthcare practitioners can store it on the cloud. This allows them to access their data from anywhere, anytime – assuming they have access to an Internet connection.
Cloud Computing and HIPAA
So, how does the HHS view cloud computing in regards to HIPAA compliance? The general view has been that cloud-based datacenters are classified as “business associates” of covered entities, meaning they are also responsible for complying with HIPAA, and subsequently, they can be held liable for the unauthorized use or disclosure of Protected Health Information (PHI).
Cloud computing was clarified in the 563-page Omnibus Rule, stating that data storage companies that have access to PHI qualifies as a business associate.
“A data storage company that has access to protected health information (whether digital or hard copy) qualifies as a business associate,” wrote the Omnibus Rule. “To help clarify this point, we have modified the definition of 'business associate' to generally provide that a business associate includes a person who 'creates, receives, maintains, or transmits' (emphasis added) protected health information on behalf of a covered entity.”
So, what does this mean? Because cloud-based datacenters are classified as business associated, covered entities must create a written business associate contract or agreement to conduct business with them. Without a contract in place, the covered entity could be found in violation of HIPAA. This is why it's important for covered entities to plan ahead and cover their bases before engaging with a third-party entity.