Close Close
Popular Financial Topics Discover relevant content from across the suite of ALM legal publications From the Industry More content from ThinkAdvisor and select sponsors Investment Advisor Issue Gallery Read digital editions of Investment Advisor Magazine Tax Facts Get clear, current, and reliable answers to pressing tax questions
Luminaries Awards

Life Health > Health Insurance

Cloud managers can park health data overseas, feds say

Your article was successfully shared with the contacts you provided.

Federal regulators may have helped data services companies, and made life harder for health insurers, health insurance brokers and other users of personal health information, in a new batch of advice aimed at cloud services providers and users.

Officials at the Office for Civil Rights at the U.S. Department of Health and Human Services prepared the advice, or “guidance,” to explain how federal health information privacy and data security rules apply to cloud services.

The Health Insurance Portability and Accountability Act of 1996 and later, related laws and regulations have set strict federal rules for protecting “protected health information.

Related: Cellphone loss leads to $650,000 HIPAA settlement

The HHS Office for Civil Rights classifies health insurers, along with hospitals, doctors and health care providers, as “covered entities,” or organizations that are directly covered by the HIPAA health information rules.

The office classifies health insurance agents and brokers who handle protected health information as “business associates” of the covered entities, and it subjects business associates to similar rules and audit programs.

About a year ago, the office looked at the data services vendors that help business associates handle protected health information. The office decided that the data services subcontractors of the covered entities’ business associates are, actually, business associates of the business associates.

If, for example, a health insurance agent who is a HIPAA business associate uses a data storage company to store customer health data, the agent needs to get the data storage company to sign a business associate agreement.

In the new batch of guidance, the Office for Civil Rights officials talk about what all of that means for cloud services providers, or companies that provide information services via computers and networks located somewhere out on the Internet.

For a look at some of what’s in the guidance, read on:

The data services customers have to assess the cloud services provider's data security efforts, officials say. (Image: Thinkstock)

The data services customers have to assess the cloud services provider’s data security efforts, officials say. (Image: Thinkstock)

Have you looked at your cloud services provider’s computers lately?

Both HIPAA covered entities and HIPAA business associates can use cloud services providers, or CSPs, officials say in the new guidance.

HIPAA does not require the cloud services providers to let health data clients audit them, officials say.

Instead, the health data clients have to analyze how well a cloud services provider handles concerns such as system reliability, data security, and data backup and recovery services, officials say.

A HIPAA-compliant cloud services provider can, for example, store the commercial customers protected health information data outside the United States, officials say.

The health data services customers can ask the cloud services providers for documentation of security safeguards or audits, if the customers think that’s necessary for risk analysis and management, officials say.

But the hospitals, insurers and brokers are the parties that have to think about where the cloud services providers’ servers are located, how likely hackers are to attack the overseas servers, and how effective the cloud services providers’ defenses are.

If a covered entity or business associate stores protected health information on a cloud-based service without getting a business associate agreement from the provider, that could lead to HIPAA violation fines, officials say.

The cloud services provider itself must comply with the HIPAA business associate rules within 30 days after the point at which it knows, or should know, that it’s handling protected health information, officials say. 

If a cloud services provider learns that it’s handling protected health information, it must comply with the HIPAA rules, return the information to the customer, or, if the customer prefers, destroy the protected health information, officials say.

“We recommend CSPs document these actions,” officials say.


Google’s DeepMind forms health unit to build medical software

Feds to probe small health data breach cases

Have you followed us on Facebook?


© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.