United States: Five Highlights From OCR Guidance On HIPAA Compliance In Cloud Computing

The Department of Health and Human Services' Office of Civil Rights (OCR) has issued guidelines for HIPAA-covered entities that utilize cloud computing in processing electronic protected health information (ePHI). The increased use of cloud computing when HHS is stepping up enforcement makes this particularly timing.

The document is lengthy, and is worth reading in its entirety. But five highlights that struck us are:

• First, covered entities are permitted to use cloud computing to process ePHI. This permission is subject to the proviso that the covered entity enter a HIPAA-compliant business associate agreement (BAA) with the cloud services provider.
• Second, the conduit exception to the HIPAA Rules does not apply to cloud services providers. Cloud computing providers store ePHI; the conduit exception is limited to entities with fleeting access to ePHI.
• Third, OCR suggests that besides a BAA, a service level agreement (SLA) can define expectation benchmarks. These benchmarks can encompass HIPAA compliance issues. expectations including issues related to HIPAA compliance. HHS suggests these include system availability, reliability, data recovery (with a specific reference to ransomware), data return, and use, retention and disclosure limitations.
• Fourth, OCR specifically notes that the cloud services provider has its own regulatory obligations. It is directly liable under the HIPAA rules for unauthorized access or disclosure of ePHI. These include access not authorized by contract, required by law, permitted by the Privacy Rule, or in breach of the Security Rule. This is a critical point for cloud providers. In our experience, one difficult issue in negotiating SLAs is allocating financial and legal responsibility for HIPAA compliance. OCR has made it clear that the cloud service provider has its own compliance obligations independent of the covered entity.
• Finally, OCR states that health care providers may access mobile devices to access ePHI in the cloud. The only requirement is that the appropriate physical, administrative, and technical safeguards are in place to protect the confidentiality, integrity, and availability of ePHI on the mobile device and in the cloud, and appropriate BAAs are in place with any third party service providers for the device and/or the cloud that will have access to the e-PHI.

Overall, the OCR guidance continues to indicate regulatory flexibility in enforcement. On the plus side, this enables covered entities and business associates to exercise discretion in determining the appropriate level of safeguards for themselves. On the negative side, this flexibility comes at a cost: guidelines are recommended, but adherence offers no guarantees. In HIPAA enforcement, as in many others, in the words of Justice Oliver Wendell Holmes, Jr., "the life of the law has not been logic; it has been experience."

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.