Here’s a quick summary of key compliance points arising from the use of “Cloud Service Providers” (CSPs) by medical providers.
(1) Providers can use a CSP.
(2) The CSP is a “Business Associate” subject to HIPAA. This is true even if it holds only encrypted electronic personal health information (ePHI).
(3) This means providers can only use CSPs who are willing to execute a Business Associate Agreement (BAA).
(4) The provider must understand the CSP’s operation well enough to conduct its own risk analysis and manage the risk.
(5) If the CSP provides a “Service Level Agreement” (SLA), the provider must ensure it addresses HIPAA’s requirements. It must not, for example, prevent the provider from accessing its ePHI.
(6) Providers can access the CSP using mobile devices. The devices must have safeguards in place to prevent disclosure of ePHI to unauthorized parties.
(7) The CSP can be overseas. But it should be in a country where the rule of law is well respected and hackers are not known to be prevalent.
Key Source: HHS Guidance on HIPAA & Cloud Computing