No Longer Partly Cloudy: HHS Provides HIPAA Guidance Regarding Cloud Computing
In early October 2016, HHS’s Office for Civil Rights (“OCR”) released long anticipated guidance regarding cloud
computing services as they relate to the HIPAA Privacy, Security, and Breach Notification Rules (“HIPAA Rules).
While previously unclear, the new guidance specifically states that when a cloud service provider (“CSP”)
maintains or stores electronic protected health information (“ePHI”) on behalf of a covered entity (or a business
associate), the CSP is a business associate under HIPAA even if the data is encrypted and the CSP does not have
access to the decryption key.
Historically, many CSPs did not offer Business Associate Agreements (“BAA”) or were very reluctant to execute a
BAA with covered entities (or business associates). However, under the new guidance, it will be deemed a
HIPAA violation for a covered entity (or business associate) to engage with a CSP to maintain or store ePHI
without first executing a BAA. Additionally, CSPs that are deemed business associates will be responsible for
compliance with applicable HIPAA Rules, including the existence of an executed BAA.
Other highlights of this guidance include:

CSPs that only receive and maintain information that has been de-identified in accordance with
the HIPAA Privacy Rule are not business associates.

HHS clarified that the HIPAA conduit exception to business associate status applies where the
only services provided to a covered entity (or business associate) are for transmission of ePHI
that do not involve any storage of the information other than on a temporary basis incident to
the transmission service. Therefore, a CSP will generally not be considered to be a “conduit”
(however; if the conduit exception applies, the CSP will not be considered a business associate).

CSPs are required to report any security incidents involving ePHI.

CSPs are not required to maintain ePHI beyond the time it provides services to a covered entity
or business associate. However, the BAA (or other law) may require the CSP to retain ePHI for a
period of time beyond termination of the contract (and in that case, the HIPAA privacy and
security protections of the BAA must be extended).

Covered entities (and business associates) may use a CSP that stores ePHI outside of the United
States provided there is an executed BAA and the CSP otherwise complies with the applicable
requirements of the HIPAA Rules. HHS notes, however, that covered entities (and business
associates) should consider as part of their required risk analysis and risk management plan the
potential increased risks, vulnerabilities, and other special HIPAA enforcement considerations
when information is stored overseas.

The HIPAA Rules do not expressly require that CSPs provide documentation, or allow auditing, of
their security practices by their customers that are covered entities (or business associates);
however, covered entities (or business associates) may want to address documentation and
audits in their BAA.
1
The laws and regulations outlined in this alert are complex and may affect organizations differently. The content
herein is provided for educational and informational purposes only and does not contain legal advice. Please
contact our office if you have any questions or concerns about HIPAA compliance.
Dated: October 27, 2016
2