Cloud-based service providers (CSPs), like Amazon Web Services and Microsoft Azure, offer online access to shared computing resources. As such, they have developed a “shared responsibility model” for how CSPs and companies that use their cloud services will share responsibilities when it comes to ensuring security in the cloud. A lot of companies believe that, if they host protected health information (PHI) with a CSP, it is the CSP that is ultimately responsible for ensuring HIPAA compliance. That is NOT the case. While the CSP will generally be responsible for ensuring that their cloud infrastructure is secure under the HIPAA rules, companies using the cloud services are responsible for ensuring the use and disclosure of their own PHI, as well as any of their platforms, applications, and operating systems that live in the cloud, comply with HIPAA.
Business Associate Agreements
CSPs that want to do business with a company that is subject to HIPAA (like a hospital or physician) will need to sign a Business Associate Agreement (BAA) with that company before any PHI is transmitted or uploaded. Under this BAA, the CSPs generally will agree to maintain appropriate safeguards for the security of PHI, to notify companies regarding any improper access or use of their PHI, and to ensure that their subcontractors also comply with these restrictions.
The CSP BAAs are often drafted to include only the bare minimum level of requirements under HIPAA. For example, these CSP BAAs should require that the CSP report any data breach to the company, but often these CSP BAAs won’t specify the content required in such reports or the timing of such reports, which can mean that the company using the cloud-based services is left scrambling to comply with its own reporting obligations under HIPAA. And don’t expect the CSP to be willing to sign the company’s form of BAA or make significant changes to the CSP’s BAA. In addition, the government does not endorse, certify or recommend specific technology or products, so any claims by the CSP (or other vendors) that they are “HIPAA compliant” or “HIPAA certified” should be taken with a grain of salt. Companies that want to use CSP services will need to do their own diligence when choosing the CSP.
These CSP BAAs typically will make clear that the company that is using the cloud services will itself need to comply with HIPAA’s Security Rule and maintain appropriate administrative, physical, and technical safeguards to ensure the confidentiality, privacy, and security of PHI transmitted to the CSP. This means that the company will still be required, among other things, to appoint a Security Officer, conduct a HIPAA-compliant Risk Assessment, and put in place a HIPAA Security Manual that is tailored to match the company’s IT systems. In addition, if the company is itself a “covered entity” under HIPAA (like hospitals and physicians), that company will also need to comply with the HIPAA Privacy Rule, including, among things, appointing a Privacy Officer and adopting a HIPAA Privacy Manual that sets forth policies and procedures for the use and disclosure of PHI.
The good news with using CSPs is that companies can reap the benefits of the cloud – such as flexibility, scale and availability – and also reduce some of the burdens of HIPAA compliance. Nevertheless, it is important that companies subject to HIPAA and who are considering using CSP services understand their ongoing HIPAA compliance obligations when using cloud-based shared responsibility models.