Top considerations for HIPAA-compliant cloud computing

Understanding how HIPAA rules apply to cloud computing

The National Institute of Standards and Technology defines cloud computing as "a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction."

Using this definition as its guide, the HHS Office for Civil Rights' (OCR) guidance on HIPAA and cloud computing aimed to help HIPAA-covered entities and business associates understand their obligations under the HIPAA Security, Privacy and Breach Notification Rules.

Under the HIPAA Security Rule, a CSP that is a business associate must comply with HIPAA implementation specifications and standards when it comes to safeguarding protected health information (PHI), OCR stated.

For example, a CSP that is a business associate is required to evaluate and mitigate the risks of a malicious actor having access to its administrative tools. CSPs must implement internal controls to ensure limited access to tools that manage critical operations, such as storage, memory and network interfaces.

Under the HIPAA Privacy Rule, a business associate can only use or disclose PHI as is permitted by its BAA. Even if a CSP provides no-view services, they still must follow the terms of the BAA and HIPAA Privacy Rule. For example, CSPs are not permitted to block the covered entity's access to its own PHI because of a payment dispute between the covered entity and CSP. Doing so would constitute an impermissible use of PHI under HIPAA.

CSPs must also comply with the HIPAA Breach Notification Rule as it pertains to business associates. Generally, business associates are responsible for notifying a covered entity of any breach of unsecured PHI.

Before engaging with a CSP, HIPAA-covered entities might want to consult with their legal counsel and follow its standard channels of establishing a HIPAA-compliant relationship with a new vendor.

Establishing a business associate agreement with your CSP

Throughout the guidance document, OCR emphasized the presence of a business associate agreement, which is a key tool in vetting the security of a vendor and reducing legal risks and data breaches throughout the relationship.

Most importantly, a BAA holds the CSP contractually liable for compliance with HIPAA.

"When a covered entity engages the services of a CSP to create, receive, maintain, or transmit ePHI (such as to process and/or store ePHI), on its behalf, the CSP is a business associate under HIPAA," OCR stated.

"Further, when a business associate subcontracts with a CSP to create, receive, maintain, or transmit ePHI on its behalf, the CSP subcontractor itself is a business associate. This is true even if the CSP processes or stores only encrypted ePHI and lacks an encryption key for the data."

In 2016, OCR reached a $2.7 million settlement with Oregon Health & Science University after it discovered that the university had stored the PHI of more than 3,000 individuals on a cloud-based server without a BAA.

A BAA plays a crucial role in establishing the permitted uses and disclosures of PHI by the business associate and holds the CSP accountable for upholding HIPAA rules. OCR also clarified that even if a CSP cannot view the PHI because it is encrypted, they are still considered a business associate because they are engaging in the storage and processing of PHI.

BAAs are valuable tools for both the healthcare organization and the CSP, as they can clearly establish terms surrounding breach notifications and security controls between the two entities that might otherwise go unchecked. This mechanism proves especially crucial in the event of a security incident and subsequent disclosures.

"For example, the BAA may prescribe differing levels of detail, frequency, and formatting of reports based on the nature of the security incidents -- e.g., based on the level of threat or exploitation of vulnerabilities, and the risk to the ePHI they pose," OCR said.

"The BAA could also specify appropriate responses to certain incidents and whether identifying patterns of attempted security incidents is reasonable and appropriate."

Establishing a BAA with a CSP will ensure that both parties understand their obligations under HIPAA.

Assessing key cloud security considerations

Even with a BAA in place, there is a reasonable level of risk involved with engaging and sharing data with any new vendor. Keeping up to date on the latest cloud security concerns can help healthcare organizations and their CSPs address potential shortcomings proactively rather than reactively.

The Cloud Security Alliance (CSA) identified misconfiguration and inadequate change control, identity and access management and insecure interfaces and APIs as the top three threats to cloud computing in a 2024 report. Inadequate implementation of cloud security strategy and insecure third-party resources were also top cloud security concerns in 2024.

CSA issued the report to help organizations understand cloud security risks and vulnerabilities and make informed decisions about cloud adoption strategies. The report predicted that increased attack sophistication, supply chain risk, and the rise of ransomware-as-a-service will shape future cloud computing trends.

Staying updated on the latest cloud security threats can help organizations manage risks and establish policies with CSPs upfront that further mitigate those risks. As cloud adoption increases, healthcare organizations that prioritize security, establish strong BAAs and pay close attention to HIPAA compliance will be able to reap the benefits of cloud computing.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.