OCR Cloud Computing Guidance

Everything you wanted to know about the OCR Cloud Computing Guidance but were afraid to ask

What exactly is the cloud?

The cloud is a network of servers used to share resources, software, and information via a network. Each server has a different function. Some servers run applications and some deliver a service. The information is stored on physical servers maintained and controlled by a cloud computing provider. The iCloud is an example of a popular service provided by Apple. In the simplest terms, the cloud is just a metaphor for the Internet.

How does it affect HIPAA?

The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) issued guidance in October 2016 for covered entities and business associates that use cloud computing service, in order to maintain compliance with the HIPAA Rules protecting the privacy and security of ePHI.

The OCR does not endorse or otherwise recognize HIPAA compliance “certifications” provided by private organizations. Covered entities and business associates should ensure their own compliance with the HIPAA Rules.

Here are a few highlights from the OCR guidance.

  • A cloud service provider (CSP) is a business associate when a covered entity or business associate engages the services of the CSP to create, receive, maintain, or transmit ePHI (such as to process and/or store ePHI) on its behalf.
  • The CSP lacking an encryption key to the ePHI does not exempt the CSP from business associate status and its obligations under the HIPAA Rules.
  • A HIPAA-compliant BAA is required between the covered entity (or business associate) and the CSP.
  • OCR does not endorse, certify, or recommend specific technology or products.
  • In addition to a BAA, a Service Level Agreement (SLA) is commonly used to address more specific business expectations between the CSP and its customer (the covered entity or business associate). SLAs may address HIPAA concerns such as system availability and reliability; back-up and data recovery; use, retention and disclosure limitations.