May a HIPAA covered entity or business associate use a cloud service to store or process ePHI?

Answer:

Yes, provided the covered entity or business associate enters into a HIPAA-compliant business associate contract or agreement (BAA) with the CSP that will be creating, receiving, maintaining, or transmitting electronic protected health information (ePHI) on its behalf, and otherwise complies with the HIPAA Rules.  Among other things, the BAA establishes the permitted and required uses and disclosures of ePHI by the business associate performing activities or services for the covered entity or business associate, based on the relationship between the parties and the activities or services being performed by the business associate.  The BAA also contractually requires the business associate to appropriately safeguard the ePHI, including implementing the requirements of the Security Rule.  OCR has created guidance on the elements of BAAs.^[i]

A covered entity (or business associate) that engages a CSP should understand the cloud computing environment or solution offered by a particular CSP so that the covered entity (or business associate) can appropriately conduct its own risk analysis and establish risk management policies, as well as enter into appropriate BAAs.  See 45 CFR §§ 164.308(a)(1)(ii)(A); 164.308(a)(1)(ii)(B); and 164.502.  Both covered entities and business associates must conduct risk analyses to identify and assess potential threats and vulnerabilities to the confidentiality, integrity, and availability of all ePHI they create, receive, maintain, or transmit.  For example, while a covered entity or business associate may use cloud-based services of any configuration (public, hybrid, private, etc.),^[ii] provided it enters into a BAA with the CSP, the type of cloud configuration to be used may affect the risk analysis and risk management plans of all parties and the resultant provisions of the BAA.

In addition, a Service Level Agreement (SLA)^[iii] is commonly used to address more specific business expectations between the CSP and its customer, which also may be relevant to HIPAA compliance.  For example, SLAs can include provisions that address such HIPAA concerns as:

• System availability and reliability;
• Back-up and data recovery (e.g., as necessary to be able to respond to a ransomware attack or other emergency situation);
• Manner in which data will be returned to the customer after service use termination;
• Security responsibility; and
• Use, retention and disclosure limitations.^[iv]

If a covered entity or business associate enters into a SLA with a CSP, it should ensure that the terms of the SLA are consistent with the BAA and the HIPAA Rules.  For example, the covered entity or business associate should ensure that the terms of the SLA and BAA with the CSP do not prevent the entity from accessing its ePHI in violation of 45 CFR §§  164.308(b)(3),  164.502(e)(2), and 164.504(e)(1).^[v]

In addition to its contractual obligations, the CSP, as a business associate, has regulatory obligations and is directly liable under the HIPAA Rules if it makes uses and disclosures of PHI that are not authorized by its contract, required by law, or permitted by the Privacy Rule.  A CSP, as a business associate, also is directly liable if it fails to safeguard ePHI in accordance with the Security Rule, or fails to notify the covered entity or business associate of the discovery of a breach of unsecured PHI in compliance with the Breach Notification Rule.

For more information about the Security Rule, see OCR and ONC tools for small entities^[vi]  and OCR guidance on SR compliance.^[vii]