Misconceptions About Using Cloud Service Providers and HIPAA Compliance


Many healthcare organizations are transitioning to utilizing the cloud for managing patients’ ePHI. But before any HIPAA covered entity does the same thing, it is necessary to understand important matters such as HIPAA compliance and the requirements for cloud computing. In this article, common misconceptions about HIPAA compliance and cloud computing will be discussed to ensure beneficial use of the cloud and avoid HIPAA rules violations.

Myth #1 Use a HIPAA compliant cloud service provider to ensure HIPAA rules will not be violated.

Even if a cloud service provider has all the safeguards that ensure it is HIPAA compliant, the covered entity or business associate is responsible for configuring the service so that it fully complies with HIPAA rules.

Myth #2 Cloud service providers do not need to sign a BAA because they are considered as conduits.

Cloud service providers claim they don’t access data stored in their platforms, but they are still considered as business associates. Using these services to manage ePHI without a signed business associate agreement violates HIPAA rules.

Myth #3 Before storing de-identified PHI in the cloud, a BAA is necessary.

There is no HIPAA Privacy rule that restricts the use or storage of de-identified PHI because it is not the same as protected health information.

Myth #4 Physicians are not allowed to use mobile devices for accessing ePHI stored in the cloud.

The HIPAA rules do not specifically restrict the use of mobile devices to access the cloud. But there must be administrative, technical and physical safeguards that guarantee the integrity, confidentiality and availability of PHI stored in the cloud or PHI downloaded to a mobile gadget. Take note that some healthcare organizations implement policies that do not allow using mobile devices with cloud services.

Myth #5 PHI stored in the cloud must be retained for 6 years.

The retention rule of 6 years applies to HIPAA-covered entities. It does not apply to cloud service providers. Should the use of cloud services be discontinued, all PHI stored in the cloud must be returned or permanently deleted.

Myth #6 Cloud service providers located outside of the United States are not allowed for storing PHI.

No geographical restrictions exist with the use of cloud services to store data. The servers may be located in any country. However, covered entities should analyze the risks of using a cloud service with servers located overseas. The level of protection of data may not be the same versus servers located in the U.S.