HIPAA and the Rise of Cloud Computing

By: Ian J. Pisarcik

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently published a document explaining how the Health Insurance Portability and Accountability Act (HIPAA) applies to cloud computing.

The OCR was motivated to offer guidance due to the proliferation and widespread adoption of cloud computing solutions and the corresponding confusion among HIPAA-covered entities and business associates with respect to how they can take advantage of cloud computing while not running afoul of HIPAA.

Perhaps the most important point stressed by the OCR is that when a covered entity engages the services of a cloud computing service provider (CSP) to create, receive, maintain, or transmit electronic protected health information (ePHI), the CSP is deemed a business associate under HIPAA. Similarly, when a business associate subcontracts with a CSP to create, receive, or transmit ePHI, the CSP subcontractor is deemed a business associate. This is true in both instances even if the CSP cannot view the ePHI because the ePHI is encrypted and the CSP does not have the decryption key.

The upshot is that the CSP must enter into a business associate agreement (BAA) with the covered entity (or the business associate) that is in compliance with HIPAA. If such an agreement is not entered into prior to services being performed, both the CSP and the covered entity will be directly liable under HIPAA.

For further information on how HIPAA applies to cloud computing, and how covered entities and business associates can take advantage of cloud computing without violating HIPAA, review the guidance document published on the U.S. Department of Health and Human Services website at: