RSS Feed LinkedIn Instagram Twitter Facebook
FMG Law Blog Line

Clearer Skies Ahead for HIPPA-Covered Entities Using Cloud Service Providers

Posted on: October 27th, 2016

By: Mandy Proctor

Earlier this month, the Department of Health and Human Services’ Office of Civil Rights (OCR) issued guidelines to HIPPA-covered entities that use or may use cloud service providers (CSPs) in connection with the processing of electronic Personal Health Information (ePHI).  The guidelines provide that covered entities may utilize CSPs to create, receive, maintain, or transmit ePHI as long as certain requirements are met.  Specifically, when a covered entity uses a CSP to handle ePHI on its behalf, the covered entity and the CSP must enter into a business associate agreement (BAA) which prescribes the permitted and required uses and disclosures of ePHI by the CSP and obligates the CSP to safeguard ePHI in accordance with HIPPA’s Security Rule.  In connection with these guidelines, OCR also created guidance on the necessary elements of a HIPPA-compliant BAA.

Once the BAA is executed, the guidelines provide that CSPs can be used to handle ePHI.  This includes the use of mobile devices to access ePHI stored in the cloud as long as appropriate safeguards are in place to protect the confidentiality, integrity, and availability of the ePHI.  Also, a BAA should be entered into with any third party service providers which may have access to the ePHI on the mobile device.  Covered entities may also use CSPs that store ePHI on servers outside the United States, but OCR notes that the risks to ePHI may vary depending on the geographic location and such risks should be considered in establishing the appropriate safeguards in the BAA.    

Importantly, OCR’s guidelines also clarify that CSPs that handle ePHI on behalf of HIPPA-covered entities constitute “business associates” and therefore must comply with HIPAA Privacy, Security and Breach Notification Rules.  This is true even if the CSP only handles encrypted ePHI for which the CSP lacks and encryption key for the data.  This creates an affirmative duty on the part of the CSP to respond to suspected security incidents, including mitigating any harmful effects resulting from those incidents, and failure to safeguard the ePHI could expose the CSP to direct liability as prescribed by HIPPA’s Security Rule. 

For more information, the text of the new guidelines summarized herein are available online at:


Comments are closed.