Federal regulators may have helped data services companies, and made life harder for health insurers, health insurance brokers and other users of personal health information, in a new batch of advice aimed at cloud services providers and users.
Officials at the Office for Civil Rights at the U.S. Department of Health and Human Services prepared the advice, or “guidance,” to explain how federal health information privacy and data security rules apply to cloud services.
The Health Insurance Portability and Accountability Act of 1996 and later, related laws and regulations have set strict federal rules for protecting “protected health information.
Related: Cellphone loss leads to $650,000 HIPAA settlement
The HHS Office for Civil Rights classifies health insurers, along with hospitals, doctors and health care providers, as “covered entities,” or organizations that are directly covered by the HIPAA health information rules.
The office classifies health insurance agents and brokers who handle protected health information as “business associates” of the covered entities, and it subjects business associates to similar rules and audit programs.
About a year ago, the office looked at the data services vendors that help business associates handle protected health information. The office decided that the data services subcontractors of the covered entities’ business associates are, actually, business associates of the business associates.
If, for example, a health insurance agent who is a HIPAA business associate uses a data storage company to store customer health data, the agent needs to get the data storage company to sign a business associate agreement.
In the new batch of guidance, the Office for Civil Rights officials talk about what all of that means for cloud services providers, or companies that provide information services via computers and networks located somewhere out on the Internet.
For a look at some of what’s in the guidance, read on:
The data services customers have to assess the cloud services provider’s data security efforts, officials say. (Image: Thinkstock)
Have you looked at your cloud services provider’s computers lately?
Both HIPAA covered entities and HIPAA business associates can use cloud services providers, or CSPs, officials say in the new guidance.
HIPAA does not require the cloud services providers to let health data clients audit them, officials say.