Cloud computing offers users significant efficiencies by outsourcing IT systems, along with the management and administration of those systems. This might include, for example, having data stored, processed and managed by the cloud computing provider. Although privacy and security issues affect any cloud user, the highly regulated health care industry should remain cautiously optimistic when weighing the financial benefits of the cloud against the potential compliance risks.
So the question remains: Can HIPAA-covered entities (e.g. health care providers and health plans) store protected health information (PHI) in the cloud and still comply with HIPAA privacy and security regulations? The answer is: It depends. It depends on the cloud computing service provider and how that provider sees itself and its obligations to protect the privacy and security of the data. The better answer to the question then is that covered entities can store PHI in the cloud and still comply with HIPAA, assuming they choose the right cloud computing provider. But who is the right cloud computing provider?
Are Cloud Computing Providers Business Associates?
Generally speaking, before disclosing PHI to a third party that will provide services to, for or on behalf of a covered entity, the covered entity must obtain satisfactory assurances, in the form of a written agreement, that the third party will appropriately safeguard the information. The HIPAA Privacy Rule defines these third parties as "business associates." Business associates include those third parties that provide data analysis, processing or administration, as well as those that perform any other function or activity regulated by the Privacy Rule.
Given that cloud computing providers often process and store data (storage of data presumably fits within the meaning of administration of data), it seems clear to us that cloud computing providers who provide these services to HIPAA-covered entities are business associates. Even if we were to say, arguendo, that pure storage of data is not data analysis, processing or administration of data, one would be hard-pressed to argue that storing of PHI is not a function or activity regulated by the Privacy Rule. So, one would think that this is a slam dunk. If it walks like a duck and talks like a duck, it's a duck -- cloud computing providers are business associates if they store PHI on behalf of HIPAA-covered entities, and the right cloud computing providers are those that agree that they are business associates and protect the privacy and security of PHI in compliance with their contractual and legal obligations.
Unfortunately, the industry is not that simple and not all cloud computing providers agree that they are business associates. In fact, most cloud computing providers do not deal exclusively with health care providers and health plans, so the concept of being a business associate, frankly, might be a foreign concept to them. In addition, some cloud computing providers might argue that they are "mere conduits" that do not routinely access PHI. Perhaps these are not the "right" cloud computing providers then?
Possibly. We say possibly because even if they do not technically admit to being a business associate, as long as they agree to take on all of the corresponding obligations of a business associate, that is, they provide the requisite reasonable assurances required by the HIPAA privacy and security rules, then they still might be the right -- or close enough to right -- cloud computing provider.
We would not advocate for covered entities to engage a cloud computing provider without a business associate agreement in place; however, even if they do not sign a business associate agreement, under the HHS proposed changes to the definition of a business associate, a third party would be a business associate if it meets the definition regardless of the existence of a business associate agreement and would, therefore, be subject to all of the legal obligations applicable to business associates.
Service Agreements With Cloud Computing Providers
Ideally, when entering into a service agreement with a cloud computing provider, a covered entity should ensure that the cloud computing provider agrees to the terms of a business associate agreement, which usually is in the form of an amendment to the underlying service agreement.
In the event that the cloud computing provider does not offer or will not agree to enter into a business associate agreement, the covered entity is faced with:
- Choosing a different cloud computing provider; or
- Negotiating, point by point, the terms of a business associate agreement in hope that the vast majority -- or at least the most significant -- of those obligations are somewhere in the agreement to ensure compliance with the HIPAA privacy and security rules.
At a high level, the HIPAA privacy and security rules' business associate agreement obligations revolve around ensuring that the business associate will:
- Use or disclose PHI only for specifically permitted purposes;
- Have in place appropriate safeguards to protect the privacy and security of the information to prevent impermissible uses and disclosures (including, for example, access controls, encryption of data, incident response plans and disaster recovery);
- Notify the covered entity of any impermissible uses or disclosures of PHI (including breaches and security incidents); and
- Ensure that any third parties to whom it discloses PHI will agree to the same restrictions.
In addition, and likely less applicable in the context of cloud computing, the business associate will allow the subject of the PHI to have certain rights to the PHI. Finally, to the extent that the business associate breaches these obligations, the covered entity must be able to terminate the agreement.
Even a cloud computing provider that opposes the notion of being labeled a business associate likely will agree that these provisions are best practices in an industry where data privacy and security are part and parcel to one's business reputation.
Therefore, it's possible that even the cloud computing provider that is unaware of or against the need to sign a business associate agreement, per se, might very well be open to agreeing to the underlying provisions that must be included in a business associate agreement. If so, even those cloud computing providers might be the right providers of services for covered entities who want to use their services, but who also understand the need to comply with HIPAA.