This is the flip side of last week’s post. Here’s a quick summary of some key compliance points for Cloud Service Providers (CSPs) who serve medical practitioners and their business associates.
(1) Information de-identified per HIPAA’s Privacy Rule is not ePHI. If that’s all a CSP is hosting, HIPAA will not regulate the hosting.
(2) CSPs can host a practitioner’s store of personal health information (ePHI) or any part of it.
(3) If they do, CSPs must execute a Business Associate Agreement (BAA) with the practitioner. This is true even if CSPs host only encrypted information for which they lack the key.
(4) Breach Liability. CSPs hosting a practitioner’s ePHI may be liable to the practitioner. They may also be subject to direct enforcement action by the government.
(5) Terms of Service or Service Level Agreements offered to practitioners must not violate HIPAA. This can occur, for example, if the agreements improperly block or terminate a practitioner’s or patient’s access to ePHI for nonpayment.
(6) Subject to some limitations applicable to situations where a breach is pretty clearly the fault of the practitioner, a CSP is independently responsible for maintaining appropriate administrative, technical, and physical safeguards to protect the confidentiality, availability, and integrity of the practitioner’s ePHI.
(7) CSPs must facilitate patients’ rights to access, amend, and receive accountings for disclosures of their ePHI.
(8) CSPs must effectively destroy ePHI when their relationships with practitioners end.
(8) CSPs must consider carefully whether they can safely store ePHI outside the United States. Relevant considerations include the legal climate in the foreign jurisdiction and the hacking environment there.
(9) Depending on the scale of a practitioner’s operation and a CSP’s, a practitioners may insist on audit rights as a result of its risk analysis.
Key Source: HHS Guidance on HIPAA and Cloud Computing