Last week, the HHS Office of Civil Rights (OCR) released its long-awaited “Guidance on HIPAA & Cloud Computing” (Guidance). Using 11 questions and comprehensive responses, the
HIPAA document with magnifying glass
Guidance details OCR’s position on the obligations of covered entities and business associates who use cloud services providers (CSPs) to manage their electronic protected health information (ePHI). There are three important takeaways from the Guidance: (1) CSPs are presumably business associates with very limited exceptions even if they only handle encrypted data, (2) OCR continues to emphasize the importance of tailored security risk assessments in its enforcement efforts, and (3) OCR is increasing its scrutiny of contractual agreements involving ePHI in its enforcement efforts.
[Read more…]
Acknowledgement: Lexology – Crowell & Moring LLP – Jodi G. Daniel, Stephanie D. Willis and Elliot Golding