Cloud data storage and services have become increasingly popular over the past few years. They allow companies of all shapes and sizes to store their data remotely rather than locally; thus, protecting against total data loss in the event of disasters like a fire, flood, theft, etc. However, businesses that that use such services should be aware of the Health Insurance Portability and Accountability Act (HIPAA) and how it view cloud-based storage providers.
Under the HIPAA Administrative Rule, covered entities are required by law to create Business Associates Agreement when conducting business with any entity or third-party that may have access to Protected Health Information (PHI). In other words, if a doctor hired an IT specialist to update his or her system, they would have to create a BAA that outlines the necessary measures to protect patients' data from unauthorized access. A Business Associates Agreement is essentially a legally binding contract in which the third-party agrees not to share or disclose any information he or she sees.
You can read more about the elements of a BAA by visiting http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html, but all Business Associates Agreements must include the following:
- Establish permissible use and disclosure of PHI.
- Agreement that the Business Associate with not disclosure PHI other than the methods mentioned in the BAA.
- Require Business Associate to implement appropriate and meaningful safeguards to prevent unauthorized use or access of PHI.
- Require Business Associate to report to the covered entity any use of PHI outside the boundaries defined in the BAA.
Up until recently, cloud-based data storage providers were not specifically mentioned in HIPAA; therefore, many covered entities did not use BAA when conducting business. This changed, however, when the HHS released its Omnibus Rule in 2013.
“A data storage company that has access to protected health information (whether digital or hard copy) qualifies as a business associate, even if the entity does not view the information or only does so on a random or infrequent basis,” wrote the Department of Health and Human Services (HHS) in its Omnibus Rule. “Thus, document storage companies maintaining 26 protected health information on behalf of covered entities are considered business associates, regardless of whether they actually view the information they hold.”
In other words, yes cloud-based storage providers are considered Business Associates in the eyes of the HHS. So if your practice stores data remotely on the cloud, make sure you have a BAA in place.