DHS Gives HIPAA Guidance for Cloud Computing Providers

The guidance outlined the responsibilities of cloud service providers that work with HIPAA-covered entities.
Published: October 24, 2016

The Department of Health and Human Services released guidance on HIPAA requirements for providers of cloud computing services.

The new information is especially important for manufacturers and users of medical devices that store data on the cloud, according to the National Law Review.

The guidance made clear that any cloud service providers that create, maintain or transmit protected health information for HIPAA-covered entities or their business associates are subject to HIPAA regulations. The department’s guidance applies to cloud service providers even if they only store encrypted PHI and lack an encryption key.

The guidance also explained that encryption, while important, does not ensure that unauthorized people can’t access PHI and thus encryption alone does not satisfy the HIPAA Security Rule.

——Article Continues Below——

Get the latest industry news and research delivered directly to your inbox.

RELATED: Survey: 8 in 10 Hospitals Concerned About Mobile Cyberattacks

The department will allow hospitals to put up the safeguards required in HIPAA’s Security Rule on their own, and the department recognizes that any HIPAA violations “that are attributable solely to the actions or inactions of the customer” will be solely the hospital’s responsibility.

But cloud service providers must still take actions to comply with the Security Rule, including taking measures to manage information systems and disaster recovery plans. Cloud service providers must also take steps to comply with HIPAA’s Privacy Rule and breach notification rule.

Read the full guidance letter here.

Read Next: Veteran Affairs and UL to Research Medical Device Cybersecurity

ADVERTISEMENT
Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series