OCR: HIPAA and Cloud Services

hipaa ocr health records

In early October 2016, the Office for Civil Rights (OCR) published an extensive guidance document on Cloud Computing that takes the form mostly of FAQs at http://www.hhs.gov/hipaa/for-professionals/special-topics/cloud-computing/index.html. Basically, it states that that covered entities (CEs) and business associates (BAs) must protect and secure protected health information no matter where it is stored or maintained … in other words, EVERWHERE! Including, if the ePHI is off-shore or outsourced.

In the guidance, OCR states: “Cloud computing takes many forms. This guidance focuses on cloud resources offered by a cloud services provider (CSP) that is an entity legally separate from the covered entity or business associate considering the use of its services. CSPs generally offer online access to shared computing resources with varying levels of functionality depending on the users’ requirements, ranging from mere data storage to complete software solutions (e.g., an electronic medical record system), platforms to simplify the ability of application developers to create new products, and entire computing infrastructure for software programmers to deploy and test programs.”

The ideas within this guidance will help your organization with the privacy requirements, the security requirements and the breach notification requirements as it uses cloud vendors.

Two Important Answers in the Guidance

The guidance also clearly states that CSPs who ONLY store ePHI are business associates. It also clearly states that CSPs are not conduits.

Questions and Answers

The questions asked in the guidance are very well answered; they are listed below with short answers. Your organization should give this guidance to your IT leadership and your legal office, and train all your staff the use and disclose PHI in the guidance’s information and ideas.

  • May a HIPAA-covered entity or business associate use a cloud service to store or process ePHI?
    • Yes
  • If a CSP stores only encrypted ePHI and does not have a decryption key, is it a HIPAA business associate?
    • Yes
  • Can a CSP be considered a “conduit” like the postal service, and, therefore, not a business associate that must comply with the HIPAA Rules?
    • Generally, no. The conduit exception is limited to TRANSMISSION SERVICES only.
  • Which CSPs offer HIPAA-compliant cloud services?
    • “OCR does NOT endorse, certify, or recommend any technology or products.”
  • What if a HIPAA-covered entity or business associate uses a CSP to maintain ePHI without first executing a business associate agreement with a CSP?
    • This is a violation of the HIPAA Rules!
  • If a CSP experiences a security incident involving a HIPAA-covered entity’s or business associate’s ePHI, must it report the incident to the covered entity or business associate?
    • Yes
  • Do the HIPAA Rules allow health care providers to use mobile devices to access ePHI in a cloud?
    • Yes
  • Do the HIPAA Rules require a CSP to maintain ePHI for some period of time beyond when it has finished providing services to a covered entity or business associate?
    • No
  • Do the HIPAA Rules allow a covered entity or business associate to use CSP that stores ePHI on servers outside the United States?
    • Yes
  • Do the HIPAA Rules require CSPs that are business associates to provide documentation, or allow auditing, of their security practices by their customers who are covered entities or business associates?
    • No
  • If a CSP receives and maintains only information that has been de-identified with the HIPAA Privacy Rule, is it a business associate?
    • No

If as a CE or BA your organization is going to use a CSP it will need a business associate agreement (BAA) with the CSP. As you know, a business associate agreement is a legal contract and your organization can add additional statements and provisions to a BAA that it needs. For example, if the ePHI your organization is storing or maintaining with a CSP your BAA may include a provision for any additional documentation your organization wants, and retain the ability to audit if you hear of any problems at the CSP.


The guidance has many links within it and a series of footnotes that I suggest you review as your organization cloud services work and integrate into your organization’s training.