HIPAA and the Cloud’s Shared Responsibility Models

Cloud-based service providers (CSPs), like Amazon Web Services and Microsoft Azure, offer online access to shared computing resources. As such, they have developed a “shared responsibility model” for how CSPs and companies that use their cloud services will share responsibilities when it comes to ensuring security in the cloud. A lot of companies believe that, if they host protected health information (PHI) with a CSP, it is the CSP that is ultimately responsible for ensuring HIPAA compliance. That is NOT the case. While the CSP will generally be responsible for ensuring that their cloud infrastructure is secure under the HIPAA rules, companies using the cloud services are responsible for ensuring the use and disclosure of their own PHI, as well as any of their platforms, applications, and operating systems that live in the cloud, comply with HIPAA. Business Associate Agreements CSPs that want to do business with a company that is subject to HIPAA (like a hospital or physician) will need to sign a Business Associate Agreement (BAA) with that company before any PHI is transmitted or uploaded. Under this BAA, the CSPs generally will agree to maintain appropriate safeguards … Continue reading

Posted in Cloud Based Services, Health Care, HIPAA

Share this Article: