Cloud Computing and HIPAA Guidelines

As healthcare organizations across the country scramble to take advantage of the power of the cloud, Health and Human Services (HHS) is providing guidance for use of cloud services. The guidelines provide both covered entities and the Cloud Service Provider (CSP) information to assist them in understanding their obligations under HIPAA regulations. When a covered entity contracts a cloud provider for services that receive, create, maintain, or transmit electronic protected health information (ePHI) it is vital that they understand exactly what cloud services are and the security requirements that are necessary. An important point to remember is that the CPS is a business associate. That relationship is true even if the organization's data is encrypted and the cloud provider does not have access to the encryption key.

The HHS guidelines provide eleven questions and answers that were developed to assist the both the covered entity and the cloud provider in understanding exactly how the HIPAA rules are applicable. A complete text of the guidelines can be found at http://www.hhs.gov/hipaa/for-professionals/special-topics/cloud-computing/index.html

About the author

Dr. James Angle has a distinguished career with over 20 years of experience in numerous areas of IT including the distinction of having served as the Deputy CIO for an army hospital. He also has over 15 years of experience in information security in the private sector and in government service.