On Oct. 7, the Office for Civil Rights (OCR) provided guidance for covered entities (CEs) and business associates (BAs) in the healthcare industry on the use of cloud services and cloud service providers (CSPs). The guidance will allow CEs and BAs to use cloud services while still maintaining compliance with Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification rules. Cloud computing offers an array of options for CEs and BAs, including data storage and outsourced online services. OCR’s guidance suggests that CEs and BAs familiarize themselves with the definitions of cloud services provided by the National Institute of Standards and Technology.
When a CE engages the services of another entity to create, receive, maintain, or transmit electronic protected health information (ePHI), the cloud service provider is considered a business associate. Moreover, when a business associate subcontracts with a CSP, the subcontractor is also considered a business associate. Per final omnibus rules, CEs, BAs, and subcontractor BAs are all required to adhere to HIPAA privacy and security rules.
The OCR’s guidance is organized into FAQs about solutions provided by cloud service providers. Here are the most important aspects of those FAQs:
Using cloud services can be very attractive for many healthcare organizations and covered entities. Cloud services provide appealing benefits, including ease of use, ability to access the data via a mobile device, and scalability of resources. However, using cloud services does come with risks. The risks and rewards should be weighed when engaging with a third-party service provider. If the reward does outweigh the risk, the covered entity should follow the OCR’s guidance when engaging with a cloud service provider as well as perform a due diligence third-party risk assessment that conforms to the organization’s standards.
In accordance with applicable professional standards, some firm services may not be available to attest clients.
© 2018 Crowe Horwath LLP, an independent member of Crowe Horwath International.
As of June 1, 2016, the professionals of AbleBridge have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm. We continue our focus on Microsoft Dynamics® CRM (now Dynamics 365) sales and implementation as well as innovative add-on products.
The personnel of SDGblue have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm with a global risk consulting practice and offices around the world. This move provides SDGblue clients access to a broader range of products, services, and solutions, while expanding the Crowe cybersecurity risk management capabilities with a deeply specialized team.
Looking for the Client Login?
Access the SDGblue Client Portal
As of Oct. 30, 2017, the professionals of Rowbotham International have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm. We continue our focus on domestic and international tax and audit compliance services, as well as advisory services.