Earlier this month, the Department of Health and Human Services’ Office for Civil Rights issued guidance (the “Guidance”) for HIPAA-covered entities that use cloud computing services involving electronic protected health information (“ePHI”).

The Guidance makes clear that covered entities and business associates may use a cloud service to store or process ePHI, provided that the covered entity or business associate enters into a HIPAA-compliant business associate contract or agreement (“BAA”) with the cloud services provider (“CSP”). The BAA must establish the permitted and required uses and disclosures of ePHI, and require the BAA to appropriately safeguard ePHI, including by implementing the requirements of the HIPAA Security Rule. The BAA also must require the CSP to report to the covered entity or business associate whose ePHI it maintains any security incidents of which it becomes aware. The parties, however, are free to define the level of detail, frequency or format of security incident reports.

The Guidance also clarifies that CSPs do not fall within the conduit exception to the HIPAA Rules, because the conduit exception is limited to entities that transmit, and in the process only have transient access to, PHI. Unlike mere conduits, CSPs maintain ePHI for storage purposes and have “more persistent access to the ePHI.” Additionally, the Guidance permits health care providers to use mobile devices to access cloud-stored ePHI, provided that appropriate physical, administrative and technical safeguards, as well as appropriate BAAs, are in place to protect the ePHI’s confidentiality, integrity and availability. The Guidance also permits covered entities and business associates to use CSPs that store ePHI on servers outside of the U.S., but highlights that entities using CSPs to maintain ePHI outside the U.S. should consider the risks associated with the country where the cloud server is located.

Finally, the Guidance notes that, pursuant to the HIPAA Security Rule, CSPs are directly liable for failing to safeguard ePHI as well as for impermissible use or disclosure of ePHI. Although the HIPAA Rules do not require CSPs to provide documentation or allow auditing of their security practices, a BAA or other contractual agreement may impose such obligations.