The Department of Health and Human Services (HHS) recently published guidance on HIPAA requirements governing the use of cloud computing entities, specifically cloud services providers (CSPs).

In this guidance, HHS explains that CSPs that create, receive, maintain, or transmit protected health information (PHI) on behalf of a covered entity or business associate are considered business associates under HIPAA, and are therefore subject to HIPAA’s requirements.  HHS expressly rejects the idea that CSPs are analogous to “conduits”(such as internet service providers) that provide transmission-only services.  Rather, HHS explains that CSPs store and maintain PHI and thus have ongoing and routine access.

We have discussed this guidance on the Inside Medical Devices blog. Covered entities and business associates that rely on CSPs should take steps to ensure that they are in compliance with HIPAA’s requirements.