The Department of Health and Human Services Office for Civil Rights released guidance on the application of HIPAA privacy and security to cloud service providers (CSP).
CSPs provide on-demand Internet access to computing services, such as networks, servers, storage and applications. The guidance confirms that CSPs can be business associates subject to HIPAA If the CSP handles electronic protected health information (PHI). This can be the case even if the CSP holds encrypted PHI without the key to decrypt the data.
The HHS guidance in effect means that covered entities and business associates must enter into HIPAA business associate agreements with their CSPs, and CSPs must adhere to business associate requirements.
All organizations that transact business through CSPs should review the data shared with the CSP to determine if a HIPAA business associate agreement is necessary.