New federal guidance specifies that cloud-computing service providers who handle protected health information (PHI) are almost always considered Business Associates under the HIPAA regulations and must meet the regulation’s security requirements.

Business associatesThe Office for Civil Rights (OCR) issued new guidance to Business Associates on October 7. This new guidance specifically targets Business Associates who provide Cloud Computing Services. Cloud computing is the practice of using remote servers to store and process data, rather than using a local server or a personal computer.

A business associate is a person or organization that creates, receives, maintains, or transmits PHI on behalf of a covered entity. Therefore, if a covered entity uses a cloud-computing service provider to create, receive, maintain, or transmit ePHI on its behalf, the service provider is considered a business associate under HIPAA. Consequently, there must be a business associate agreement between the covered entity and the cloud-computing service provider.

In the release, the OCR specified that encrypted PHI stored by the service provider still designates them as a business associate, even if they do not have a decryption key. This highlights how strict the business associate definition is. The only exemption is if the PHI was de-identified before provided to the service provider. Additionally, the OCR reiterated that cloud-computing service providers cannot be considered conduits. Conduits are typically transmission-only services, such as the postal service or internet service provider.

The OCR also reminded everyone that business associates are required to comply with all the standards and implementation specifications outlined in the Security, Privacy, and Breach Notification Rules. They have to be HIPAA compliant and can be fined for noncompliance just like a covered entity.

Due to the collaborative nature of covered entity and business associate relationships, one may cover a specification or standard over the other. An example of that would be if the business associate handles encryption for PHI, and therefore the covered entity doesn’t have to handle that.

Service providers, business associates, are required to notify the covered entity if there is a security incident. Also, cloud-computing service providers are not allowed to withhold PHI for any reason, per the Privacy Rule and new guidance provided by the OCR.

As the world of PHI changes from paper to electronic, the OCR continues to provide valuable guidance on how to better protect patient information by covered entities and business associates. To make sure you are doing everything you can to protect your patient’s information and stay up-to-date with HIPAA compliance, sign up with HIPAAgps for a 7-day trial.