Cloud service providers (CSP) are businesses that provide network services, business applications, or infrastructure, in the cloud. The services are hosted in a remote data center that can be accessed through a company network connection. Cloud service providers that create, receive, maintain, or transmit electronic protected health information (ePHI) on behalf of a covered entity or business associate, are considered HIPAA business associates. HIPAA cloud service providers must comply with the HIPAA Security Rule, and enter into business associate agreements with their covered entity or business associate clients.
How Must HIPAA Cloud Service Providers Comply with HIPAA?
HIPAA cloud service providers must enter into a HIPAA business associate agreement with the covered entity or business associate on whose behalf it will create, receive, maintain, or transmit ePHI.
The business associate agreements between HIPAA cloud service providers and covered entities, and the business associate agreements between HIPAA cloud service providers and other business associates, must establish when the cloud service provider is permitted, as well as when the cloud service provider is required, to use and disclose ePHI.Â
The specific uses and disclosures of ePHI HIPAA cloud service providers will make depends upon the nature of the relationship between the cloud service provider and the other party to the business associate agreement. Additionally, upon the nature of the services or activities being performed by the cloud service provider.Â
HIPAA cloud service providers are contractually obligated, under the business associate agreement, to take measures to appropriately safeguard the ePHI they create, maintain, receive, or transmit. To safeguard the ePHI, HIPAA cloud service providers must implement the requirements of the HIPAA Security Rule.
Risk Analysis
A covered entity (or business associate) that engages a cloud service party’s services, should understand the cloud computing environment or solution offered by a particular cloud service provider, so that the covered entity (or business associate) can appropriately conduct its own risk analysis and establish risk management policies, as well as enter into appropriate business associate agreements.  Â
Both covered entities and business associates must conduct risk analyses to identify and assess potential threats and vulnerabilities to the confidentiality, integrity, and availability of all ePHI they create, receive, maintain, or transmit. For example, while a covered entity or business associate may use cloud-based services of any configuration (public, hybrid, private, etc.), provided it enters into a business associate agreement with the cloud service provider, the type of cloud configuration to be used may affect the risk analysis and risk management plans of all parties and the resultant provisions of the BAA.