HHS Guidance on HIPAA and Cloud Computing
The Department of Health and Human Services Office of Civil Rights (OCR) recently released guidance on HIPAA and cloud computing that clarifies that Cloud Service Providers (CSP's) are business associates under HIPAA. The guidance for CSP’s has been somewhat, well, cloudy, in the past. To simplify, if you’re involved with ePHI in any way – touching it, creating it, storing or maintaining it – you fall under the HIPAA Rules. That means in addition to having a business associate agreement (BAA) in place you’ll want to understand your regulatory obligations with a CSP.