The Department of Health and Human Services has released new guidance on complying with HIPAA privacy, security and breach notification principles when utilizing cloud computing technology. New guidance releases HIPAA obligations for cloud computing.
The new guidance releases HIPAA obligations will offer insights for contributors, business associates and cloud computing vendors. Few of the guidance is basic and famous to several HIPAA-covered entities. The first query, for example, considers if a HIPAA-covered agency/entity or business associate might utilize a cloud service to store or process electronic protected health information (ePHI). The answer is yes, provided the vendor steps into a business associate agreement that explains how HIPAA agreement will be maintained.
But overall, the new guidance releases HIPAA obligations will assist providers to develop a better concept of the present and ongoing security status of cloud vendors and other business associates (BAs).
“While encryption secures ePHI by importantly decreasing the threat of data being viewed by unauthorized individuals, such protections alone can’t correctly safeguard the confidentiality, integrity and presence of ePHI as needed by the Security Rule. Encryption doesn’t maintain the integrity and availability of ePHI, like ensuring that the information remains present to authorized persons even during emergency or disaster cases. Further, encryption doesn’t deal other safeguards that are also significant to maintaining confidentiality, like administrative safeguards to observe risks to the ePHI or physical safeguards for systems and servers that might house the PHI.”
The new guidance releases HIPAA obligations also reaffirms that HIPAA-covered entities (providers or business associates) can’t use a cloud service provider without first having implemented a business associate agreement (BAA), and notes a resolution compliance and corrective action plan that was enforced on a covered entity that stored ePHI of more than 3,000 individuals on a cloud server without a BAA.
“Moreover, a cloud service provider (CSP) that meets the definition of a business associate—that is a CSP that establishes, receives, maintains or transmits PHI on behalf of a covered entity or another business associate—must comply with entire applicable provisions of the HIPAA Rules, regardless of either it has executed a BAA with the entity by utilizing its services.”
Under HIPAA, cloud service providers, as well as other business associates, must report security tragedies including ePHI of a HIPAA covered entity or business associate, the HHS guidance notes. “A security tragedy means the attempted or victorious unauthorized access, use, disclosure, modification or destruction of data or interruption with system operations in an information system. Thus, a business associate CSP must execute policies and processes to deal and document security tragedies, and must report security tragedies to its covered entity or business associate customer.”
Also under HIPAA, contributors can use mobile devices to access ePHI from a cloud platform as long as suitable safeguards and BAAs are in place. Guidance on securing ePHI on mobile devices is available here.
In general, HIPAA doesn’t need cloud service providers and other business associates to maintain ePHI past the time it was utilized to serve a covered entity or business associate. Although, BAs must return or ruin all PHI at termination of the BAA. There is extra guidance for situations where return or destruction might not be feasible if other laws need the BA to retain the information.
Other parts of the guidance, available here, cover storage of ePHI outside the United States of America, auditing of cloud service providers and other business associates, and maintaining merely data that has been de-identified.
No comments:
Post a Comment