As Boston lawyer and HIPAA healthcare expert David Harlow points out in his eminently useful blog post on the Office for Civil Rights‘ recent guidance on cloud computing, there’s really not that much new in the guidance, but the bits that are bear examining.
Harlow parsed OCR’s dense legalese and came up with these choice new items:
- “No view” cloud service providers that handle only encrypted data and do not have access to decryption keys are still business associates, and as such must comply with some HIPAA privacy and security requirements. Harlow notes that most of the big cloud vendors doing business in healthcare require their customers to do the encryption and so reduce the cloud service providers’ exposure to regulatory oversight.
- Covered entities (which include most healthcare insurers, clearinghouses and providers that transmit protected health information (PHI) under Department of Health and Human Services standards) should review cloud vendors’ service level agreements to be sure that the cloud vendor does not limit the ability of the covered entity to comply with HIPAA.
- Cloud companies that are defined as business associates have to notify covered entities of security incidents or breaches even when the PHI they are holding is encrypted.
- HIPAA rules do not require that PHI be kept on cloud servers in the U.S., but OCR says location should be considered in risk analysis and management. Interestingly, Harlow says here: “As a practical matter key issues to consider are likelihood of successful malware attacks or other exploits at the overseas data center and ease of enforcement of legal rights in overseas court systems.”
Harlow’s somewhat cautionary conclusion on the geography question: “Given these issues, it makes sense in most cases to keep U.S. health data on U.S. servers.”
Like some other health IT observers, Harlow thinks these clarifications are fine as far as they go. He messaged me this comment: “On the question of new law/regs, though, while it might be nice to have a new comprehensive rule I don’t really think we need it, and I certainly don’t expect it.