Got PHI in The Cloud?: Get HIPAA Compliant!

I have had many conversations with cloud service providers (CSP) and their clients about HIPAA compliance requirements so it is useful for HHS to finally publish the rules and definitions.

Key Points

When a covered entity engages a CSP to create, receive, maintain, store or transmit ePHI, on its behalf, the CSP is a business associate under HIPAA. Likewise, when a business associate subcontracts with a CSP for similar services, the CSP is a business associate.

Dealing only with encrypted data without an encryption key does not absolve the CSP of HIPAA compliance responsibility.

Up-to-date risk assessments are required.

The CSP must report any security incidents.

The CSP can't block the covered entity's access to the data.

Data can be stored outside the US.

Business associate agreements are required at all levels.  Covered entity to business associate and business associate to sub contractors.

Here is the link to the HHS site: 

Add Your Comments

(not published)