New HIPAA Guidance from DHHS
New guidance from the Department of Health and Human Services determines Cloud Service Providers (CSPs) that create, receive, maintain, or transmit electronic protected health information (ePHI) [on behalf of covered entities] … are Business Associates under HIPAA. That conclusion has far-reaching effects and will require immediate remediation by many covered entities (and business associates acting on their behalf, since the new guidance includes subcontractors of business associates). The most important step any covered entity or business associate involved in cloud computing activities need to take is to immediately supplement their cloud agreements with formal Business Associate Agreements (BAAs) and assure that their cloud provider is in compliance with HIPAA privacy, security, and breach notification rules.
To read the full article, click here.