The Department of Health and Human Services (HHS) recently published guidance on HIPAA requirements governing the use of cloud computing entities, specifically cloud services providers (CSPs).

In this guidance, HHS explains that CSPs that create, receive, maintain, or transmit protected health information (PHI) on behalf of a covered entity or business associate are considered business associates under HIPAA, and are therefore subject to HIPAA’s requirements.  HHS expressly rejects the idea that CSPs are analogous to “conduits”(such as internet service providers) that provide transmission-only services.  Rather, HHS explains that CSPs store and maintain PHI and thus have ongoing and routine access.

We have discussed this guidance on the Inside Medical Devices blog. Covered entities and business associates that rely on CSPs should take steps to ensure that they are in compliance with HIPAA’s requirements.

Covington Digital Health Team

Stakeholders across the healthcare, technology and communications industries seek to harness the power of data and information technology to improve the effectiveness and efficiency of their products, solutions and services, create new and cutting-edge innovations, and achieve better outcomes for patients. Partnering with…

Stakeholders across the healthcare, technology and communications industries seek to harness the power of data and information technology to improve the effectiveness and efficiency of their products, solutions and services, create new and cutting-edge innovations, and achieve better outcomes for patients. Partnering with lawyers who understand how the regulatory, IP, and commercial pieces of the digital health puzzle fit together is essential. Covington offers unsurpassed breadth and depth of expertise and experience concerning the legal, regulatory, and policy issues that affect digital health products and services. To learn more, click here.