OCR Releases Guide for HIPAA and the Cloud

By: Arieanna Schweber | 10/19/2016

What is the goal when a breach report is investigated by the Office for Civil Rights? Jocelyn Samuels, Director of the HHS Office for Civil Rights (OCR), has said that the intent is not limited to identifying the cause of the breach. In fact, the investigation is also meant to uncover systemic problems that could place healthcare data at risk. Subsequent penalties and settlements reflect the OCR’s current strong stance on accountability and compliance. Despite the criticism against HIPAA from the GAO, there is no question that the Office for Civil Rights (OCR) has stepped up both advocacy and enforcement in recent months. As an example of this, they published Guidance for Business Associates this past spring. Now they have released Guidance for Cloud Computing, which takes a deep dive into HIPAA and the cloud.

What's in the OCR Guide?

Presented in a Q&A format, the guide will help covered entities take advantage of cloud technology while remaining compliant. While the questions focus on cloud resources offered by a legally separate entity (i.e. public cloud services), the advice offered looks at a range of cloud services, from cloud storage to full workspace solutions.

As noted in the document, any third party that creates, receives, maintains or transmits ePHI would be considered a business associate under HIPAA. Essentially, this extends the reach of HIPAA to public cloud providers. Such a relationship would require a business associate agreement (BAA) to contractually require the business associate to safeguard ePHI. The guide further clarifies that a cloud service provider (CSP) that stores encrypted ePHI without a decryption key is still considered a business associate.

Accessing ePHI in the Cloud on Mobile Devices

How does HIPAA apply to ePHI in the cloud? As a growing area of focus for the OCR, this question is well covered in the guide.  Under HIPAA rules, healthcare providers can use mobile devices to access ePHI in the cloud, provided that certain conditions are met.

Health care providers, other covered entities, and business associates may use mobile devices to access electronic protected health information (ePHI) in a cloud as long as appropriate physical, administrative, and technical safeguards are in place to protect the confidentiality, integrity, and availability of the ePHI on the mobile device and in the cloud, and appropriate BAAs are in place with any third party service providers for the device and/or the cloud that will have access to the e-PHI.

In short, visibility will be key to ensuring that healthcare organizations remain compliant with the clarified rules for HIPAA compliance in the cloud.

Absolute DDS for Healthcare provides visibility for your fleet of devices, as well as the data they contain, even for data stored in the cloud. With insight from Absolute DDS reporting and alerts, you can prevent or respond to data breaches, remotely deleting data or locking down devices, and prove compliance if needed. With full reporting capabilities, you can prove that your data remained protected, even when it was physically outside your control. Absolute DDS for Healthcare is a comprehensive on boarding program which pairs our highest level of endpoint security with expert forensic support to respond to and contain security incidents. Learn more at Absolute.com

Financial Services