The Department of Health and Human Services released guidance on HIPAA requirements for providers of cloud computing services.
The new information is especially important for manufacturers and users of medical devices that store data on the cloud, according to the National Law Review.
The guidance made clear that any cloud service providers that create, maintain or transmit protected health information for HIPAA-covered entities or their business associates are subject to HIPAA regulations. The department’s guidance applies to cloud service providers even if they only store encrypted PHI and lack an encryption key.
The guidance also explained that encryption, while important, does not ensure that unauthorized people can’t access PHI and thus encryption alone does not satisfy the HIPAA Security Rule.
RELATED: Survey: 8 in 10 Hospitals Concerned About Mobile Cyberattacks
The department will allow hospitals to put up the safeguards required in HIPAA’s Security Rule on their own, and the department recognizes that any HIPAA violations “that are attributable solely to the actions or inactions of the customer” will be solely the hospital’s responsibility.
But cloud service providers must still take actions to comply with the Security Rule, including taking measures to manage information systems and disaster recovery plans. Cloud service providers must also take steps to comply with HIPAA’s Privacy Rule and breach notification rule.
Read the full guidance letter here.
Read Next: Veteran Affairs and UL to Research Medical Device Cybersecurity