Table of contentsSectionAbout the editorlonGuidance on HIPaa Cloud Computing7Cloud Computing at the veterans AdministratiCloud Computing Concerns at GSANIST SeomputingDoD Guidance on commercial cloud serviceCloud Computing Studies by the gAod)Cloud Computing SecuritRequirements Guide (srG
er controls who is able to view the ePHi maintained by the CsP, certain accesscontrols, such as authentication or unique user identification, may be the responsibility of theustomer,while others, such as encryption, may be the responsibility of the csp businesssociate Which access controls are to be implemented by the customer and which are to belemented by the csp may depend on the respective security risk management plans of theI as the terms of the baareasonable and appropriate user authentication controls and agrees that the csP providing noview services need not implement additional procedures to authenticate(verify the identity of)aperson or entity seeking access to ePhl, these Security rule access control responsibilities wouldbe met for both parties by the action of the customerHowever, as a business associate, the CsP is still responsible under the Security ruleimplementing other reasonable and appropriate controls to limit accethat maintain customer ePHI For example, even when the parties have agreed that the custonIcating access to ePhIappropriate internal controluthorized acthe administramanage the resources(e
g, storage, memory, network interfaces, CPUs) critical to the operationof its information systems For example, a CSP that is ass associate needs to consider andaddress, as part of its risk analysis and risk management process,sks of a malicious actorhaving unauthorized access to its systems administrative tools, which could impact systemoperations and impact the confidentiality, integrity and availability of the customers ePHCSPs should also consider the risks of using unpatched or obsolete administrative tools TheCSP and the customer should each confirm in writither the baa or other documehow each partI address the security rule requirementsNote that where the contractual agreements between a Csp and customer provide that theustomer will control and implement certain security features of the cloud service consistent withthe Security Rule, and the customer fails to do so, OCR will consider this factor as important andelevant during any investigation into compliance of either the customer orPA CSP isthat are attributable solely to the actof the customer, as determined by the facts and circumstances of the particular casePrivacy Rule Considerationsly only use and disclose PHI as permitted by its BAA and the PrivacyRule, or as otherwise required by law While a Csp that provides only no-view services to acovered eor business associate customer may not control who views the ePhl, the csp still
If only uses and disthe encrypted information as permitted byBAA and the Privacy rule, or as otherwise required by law This includes, for exampleensuring the csp does not impermissibly use the ePHI by blocking or terminating access by thecustomer to the ePHl llurther, a Baa must include provisions that require the business associate to, among otherthings, make available PHI as necessary for the covered entity to meet its obligations to provideiduals with their rights to access, amend, and receive an accounting of certain disclosures ofth 45 CfR& 164504(e)(2)(1)(E)-(G) The baa between aCSPand a covered entity or business associate customer should describe in what manner the no-viewCSPese obligations-for example, a CSP may agree in the baa that it will makthe ePhI available to the customer for the purpose of incorporating amendments to ePHequested by the individual but only the customer will make those amendmentseach notification rule considerationsAs a business associate, a CSP that offers only no-view services to a covered entity or businessassociate still must comply with the hiPaa breach notification requirements that apply tobusiness associates In particular, a business associate is responsible for notifying the coveredentity (or the business associate with whhas contracted) of breaches of unsecured PHI See45 CFR8164410
Unsecured PHI is PhI that has not been destroyed or is not encrypted at theUnreadable, or Indecilble to unauthorized Individuals 12 If the ephi that has bebreached is encrypted consistent with the HIPAA standards set forth in 45 CFR 8 164402(2)andHHS Guidance [13 the incident falls within the breach "safe harbor and the csp businesssociate is not required to report the incident to its customer However, if the ePhIencrypted, but not at a level that meets the HIPAa standards or the decryption key was alsobreached, then the incident must be reported to its customer as a breach, unleexceptions to the definition of""breach"applies See 45 CFR$ 164 402 See also 45 CFR S164410 for more information about breach notification obligations for business associates3 Can a csp be considered to be a"condthe postal service, and therefore, notbusiness associate that must comply with the HIPAA Rules?&Generally, no CSPs that provide cloud services to a covered entity or business associate thatinvolve creating, receiving, or maintaining (e g, to process and/or store)electronic protected
health information(ePHi)meet the defiof a business assocthe csp canew the ePhi because it is encrypted and the csp does not have the decryption keyAs explained in previous guidance, 14] the conduit exception is limited to transmisservices for PhI(whether in electronic or paper form), including any temporary storage of PHIdent to such transmission Any access to PHI by a conduit is only transient in nature Incontrast, a CsP that maintains ePHI for the purpose of storing it will qualify as a businesssociate,and not a conduit, even if the csp does not actually view the information, because theresistent access to the ephiFurther, where a CsP provides traSIon servicescovered entity or business associatetaining ePHI for purposes of pronformation the csp is still a business associate with respect to such transmission of ephl thenduit exception appliesthe only services provided to a covered entity or businesssociate customer are for transmission of ePhi that do not involve any storage of thenformation other than on a temporary basis incident to the transmission service4 Which CSPs offer HIPAA-compliant cloud services?ocr does not endorse, certify, or recommend specific technology or produ5 what if a hiPaa covered eor business associate) uses a csp to maintain ephi withoufirst executing a business associate agreement with that CsFIf a covered entity(or business associate)uses a CSP to maintain(e g, to process or store)ectronic protected health information(ePHl) without entering into a BAa with the CsP, thecovered eor bus associate) is in violation of the hipaa rules 45 C
F R64308(b)(1)and $164502(e) OCr has entered into a resolution agreement and correctivetion plan with a covered entity that ocr determined stored ePHI of3 000 individualsa cloud-based server without entering into a baa with the csP [15rther a csp thathe definitibusiness associate- that is a CSP that createsreceives, maintains, or transmits PHI on behalf of a covered entity or another business associatmust comply with all applicable provisions of the HIPAA Rules, regardless of whether it hasexecuted a Baa with the entity using its services See 78 Fed Reg 5565, 5598(January 25
2013) OCR recognizes that they, however, be circumstances where a CsP may not hayactual or constructive know ledge that a covered entity or another business associate is using itservices to create receive, maintain or transmit ephi The hipaa rules provide anaffirmative defense in cases where a CsP takes action to correct any non-compliance within 30xtent of the non-compliance) of the time that it knew or should have known of theeg, at the point the csp knows or should have known that a covered entity or businessaining pHiLd ) 45 CFR 160410 This affirmative defensedoes not, however, apply in cases where the Csp was not aware of the violation due to its ownwillful neglectIf a Csp becomes aware that it is maintaining ePHl, it must come into compliance with theHIPAA Rules, or securely return the ePHI to the customer or, if agreed to by the customerecurely destroy the epHl
Once the CsP securely returns or destroys the ePHI(subjectarrangement with the customer), it is no longer a business associate recommend CSPshile a Csp maintains ePHl, the HIPAa Rules prohibit the Csp from using or disclosing thedata in a manner that is inconsistent with the rules6 If a CSP experiences a security insiderg a HIPaa covered entitys or businessassociate's ePHl, must it report the incident to the covered entity or business associateYes The Security Rule at 45 CFR 8 164308(a)(6(ii)requires business associates to identifyspected or known security incidents; mitigate, to the extent pracffects of security incidents thaknotincidents and their outcomes In addition, the Security rule at 45 CFR 8 164314(a)(2)(i)(C)that a business associate agreement must require the business associate to report, to thecovered entity or business associate whose electronic protected health information (ePhi)maintains, any security incidents of which it becomes aware A security incident under 45 CFR8164304 means the attempted or successful unauthorized access, use, disclosure, modificationor destruction of information or interference with system operations in an information systemTEassociate CSP must implement policies and procedures to address anddocument security incidents, and must report security incidents to its covered entity or businessassociate custer
Security Rule, however, is flexible and does not prescribe the level of detail, freqtormat of reports of security incidents, which may be worked out between the parties to thebusiness associate agreement(BAA) For example, the baa may prescribe differing levels ofdetail, frequency, and formatting of reports based on the nature of the security incidents-eghreat or exploitation of vulnerabilities, and the risk to the ePHi they poBAa could also specifyponses to certain incidents and whether identifyingpatterns of attempted security incidents is reasonable and appropriateNote, though, that the Breach Notification Rule specifies thetiming and otherrequirements for a business associate to report incidents that niseunsecured PHI to the covered entity (or biociateose behalf the bSee 45 CFR8 164 410 The BAA may specify more stringereg
, more timely )requirements for reporting than those required by the breach Notificationstill also meet the rules requirements but may not otherwise override theRules requirements for notification of breaches of unsecured PHIor more information on this topic, see the FAQ about reporting security incidents(althoughcted to plan sporans, the guidance is also relevant to businessssociates): [16] as well as ocr breach notification guidance [171Do the HiPAa Rules allow health care providers to use mobile devices to access ephl in aYes Health care providers, other covered entities, and business associates may use mobilephysical, administrative, and technical safeguardstect the confidentialityintegrity, and availability of the ePHl on the mobile device and in the cloud, and appropriateBAAS are in place with any third party service providers for the device and/or the cloud that willhave access to the e-PHI The HIPAA Rules do not endorse or require specific types ochnology, but rather establish the standards for how covered entities and business associatesmay use or disclose ePHI through certain technology while protecting the security of the ePHI byandasonable and appropriate administrative, technical, and physical safeguards to addressrisks OCR and onc have issued guidance on the use of mobile devices and tips for securingbile devices 1&
8 Do the hiPaa ricovered entity or business associate? time beyond wherCSPaintain ePhI forhas finished providing serviceNo, the HiPAA Rules generally do not require a business associate to maintain electroprotected health information (ePHI) beyond the time it provides services to a covered entitybusiness associate The Privacy Rule provides that a business associate agreement(BAA)murequire a business associate to return or destroy all PHI at the termination of the Baa whereIf such return or destruction is not feasible, the baa must extend the privacy and securityprotections of the baa to thend limit further uses and disclosures to those purposes thatmake the return or destruction of the information infeasible fple, return or destructiwould be considered"infeasible' if other law requires the business associate CSP to retain ePHIfor a period of time beyond the termination of the business associate contract [199 Do the HIPAA Rules allow a covered entity or business associate to use a csp that storesePHI on servers outside of the united statesYes, provided the covered entity (or business associate)enters into a business associatgreement (BAA)with the CsP and otherwise complies with the applicable requireHIPAA Rules
However while the hipaa rules dolde requirements specificprotection of electronic protected health information(ePHl) processed or stored by a CsP or anyther business associate outside of the United States, OCr notes that the risks to such ePHI mayary greatly depending on its geographic location In particular, outsourcing storage orotherervices for ePHl overseas may increase the risks and vulnerabilities to the information orspecial considerations with respect to enforceability of privacy andover the data Covered entities(and business associates, including the csp) should take thesesks into account when conducting the risk analysis and risk management required by theSecurity Rule See 45 CFR88 164308(a)(1)(1)(A)and (a)((ii)(B) For example, if ePHI ismaintained in a country where there are documented increased attempts at hacking or othermalware attacks, such risks should be considered, and entities must implement reasonable andappropriate technical safeguards to address such threats10 Do the HIPAa Rules require CSPs that are business associates to provide documentation, orallow auditing, of their security practices by their customers who are covered entities or business
No The HIPAA Rules require covered entity and business associate customers to obtainatisfactory assurances in the form of a business associate agreement (BAA)with the Csp thatCSP will, among other things, appropriately safeguard the protected health information(PHD)that it creates, receives, maintains or transmits for the covered entity or business associate inAA Rules, the csp is also direor failing to safeguardelectronic phicordance with the Security Rule [20] and fordisclosures of the PHI [21] The HIPAA Rules do not expressly require that a Csp providepractices However, customers may require from a CSP (through the BAA, service levey ity practicotherwise allow a customer to audit its seclgreement, or other documentation) additional assurances of protections for the PHl, such asdocumentation of safeguards or audits, based on their own risk analysis and risk management11 If a CSP receives and maintains only information that has been de-identified in accordancewith the HIPAA Privacy Rule, is it is a business associateA CSP is not a business associate if it receives and maintains(e g to process and/or storeonlyation de-identified following the processes required by the Privacy riPrivacy Rule does not restrict the use or disclosure of de-identified information, nor does thequireed to de-identified information as the informationis not considered protected health information
See the oCr guidance on de-identification forformation, 22[1]Seehttp://nvlpubsnistgpubs/Legacy/SP/nistspecialpublication800-145PcSeehttp://wwwhhsgov/hipaa/for-professionals/covered-entities/sample-buusiness-associateagreeme
About the editorMichael Erbschloe has worked for over 30 years performing analysis of theeconomics of information technology, public policy relating to technology, andutilizing technology in reengineering organization processes He has authoredseveral books on social and management issues of information technology thatwere published by Mc Graw Hill and other major publishers He has also taught atseveral universities and developed technology-related curriculum
His career hasfocused on several interrelated areasTechnology strategy, analysis, and forecastingTeaching and curriculum developmentoks and articlesPublishing and ediPublic policy analysis and program evaluationBooks by michael erbschloeThreat Level Red: Cybersecurity Research Programs of theUS Government(CRC Press)Social Media Warfare: Equal Weap Access to Improve Organizationalons for All(auerbach Publications)Security(Auerbach Publications)Physical Security for IT(Elsevier SciTrojans, Worms, and Spyware(Butterworth-Heinemann)Implementing Homeland Security in Enterprise IT(Digital Press)Guide to Disaster Recovery( Course TechnologySocially responsible IT Management(Digital PressInformation Warfare: How to Survive Cyber Attacks(McGraw Hill)The Executive's Guide to Privacy Management(McGraw hill)Net Privacy: A Guide to Developing Implementing an e-blPrivacy Plan(McGraw Hill)
ntroductionervices)that can be rapidly provisioned and released with minimal management effort eCloud computing is a model for enabling convenient, on-demand network access to a shareble computing resources(e g, networks, servers,service provider interaction The Cloud Computing model offers the promise of massive costcombined with increased IT agility Itdered critical thatd industryadoption of this technology in response to difficult economic constraints However, cloudomputing technology challenges many traditional approaches to datacenter and enterpriseapplication design and management Cloud computing is currently being used; howeversecurity, interoperability, and portability are cited as major barriers to broader adoptionThe National Institute of Standards and Technology (nist) has defined cloud computing as aodel for enabling ubiquitous, convenient, on-demand network access to a shared poolfigurable computing resources(e g, networks, servers, storage, applications, and servicesbe rapidd with minimaleffort or service providerEssential characteristicsOn-demand self-service A consumer can unilaterally provision computing capabilities, such aserver time and network swith each service providerBroad network access
Capabilities are available over the network and accessed through standardmechanisms that promote use by heterogeneous thin or thick client platforms(e g, mobileblesource pooling The provider's computing resources are pooled to serve multiple consumerstenant model, with different physical and virtual resources dynamically assignednd reassigned according to consumer demand There is a senseation independence in thatthe customer generally has noknowledge over thelocation of the providedesources but may be able to specify location at a higher level of abstraction (e g, country, state,datacenter) Examples of resources include storage, processing, memory, and networkRapid elasticity Capabilities can be elasticad and released in some casesautomatico scalerapidly outward and inward commensurate with demand To the
consumer, the capabilities available for provisioning often appear to be unlimited and can beappropriated in any quantity at any timeMeasured service Cloud systems automatically control and optimize resource use by leveraginga metering capability I at somestraction appropriate to the type of service(e gstorage, processing, bandwidth, and activents) Resource usage can be monitoredcontrolled, and reported, providing transparency for both the provider and consumer of theService modeSoftware as a Service(SaaS) The capability provided to the consumer is to use the providersapplications running on a cloud infrastructure The applies are accessible from variousclient devices through either a thin client interface, such as a web browser(e
g web-basedemail), or a program interface The consumer does not manage or control the underlying cloudinfrastructure including network, servers, operating systems, storage, or even individualapplication capabilities, with the possible exception of limited user-specific applicationconfiguration settingsm as a Service(PaaS) The capability provided to the consumer is to deploy onto thecloud infrastructure consumer-created or acquired applications created using progralanguages, libraries, services, and tools supported by the provider 3 The consumer does nemanage or control the underlying cloud infrastructure including network, servers, operatingsystems, or storage, but has control over the deployed applications and possibly configurationapabilityded to the consumerprocessing, storage, networks, and other fundamental computing resources where the consumerdeploy and run arbitrary software, which can include operating systems ande consumer does not manage or control the underlying cloud infrastructure buthas control over operating systems, storage, and deployed applications; and possibly limitedcontrol of select networking components(e g, host firewalls)Private cloud The cloud infrastructure is provisioned for exclusive use by a single organizationomprising multiple consumers(e g, business units) It may be owned, managed, and operatedby the organization, a third party, or some combination of them, and it may exist on or off
Community cloud The cloud infrastructure is proyed forcificommunity of consumers from organizations that have shared concerns(e g, mission, securityrequirements, policy, and compliance considerations) It may be owned, managed, anddby one or more of the organizations in the community, a third party, or some combination ofthem, and it may exist on or off premisesPublic cloud The cloud infrastructure is provisioned for open use by the general public It maybe owned, managed, and operated by a business, academic, or government organization, or somcombination of them
It exists on the premises of the cloud providerHybrid cloud The cloud infrastructure is a composition of two or more distinct cloudinfrastructures(private, community, or public) that remain unique entities, but are boundtogether by standardized or proprietary technology that enables data and application portability(e g, cloud bursting for load balancing between clouds)ttps: //csrc nist gov/publications/detail/sp/800-145final #tpubs-abstract-heade
Guidance on HIPAA Cloud ComputingWith the proliferation and widespread adoption of cloud computing solutions, HIPAA coveredentities and business associates are questiwhether and how they can take advantagecloud computing while complying with regulations protecting the privacy and security oflectronic protected health information(ePHI This guidance assists such entities, includincloud services providers(CSPs), in understanding their HIPAaCloud computing takes many forms This guidance focuses on cloud resources offered by a CShthat is an entity legally separate from the covered entityate considetheof its services CSPs generally offer online access to shared computing resources with varyinglevels of functionality depending on the users'requirementsomplete software solutions(e g, an electronic medical record system), platforms to simplify thebility of application developers to create new products, andoftware programmers to deploy and test programs
Common cloud serviceinternet access to computing(eg, networks, servers, storage, applications)services, Wencourage covered entities and business associates seeking information about types of cloudcomputing services and technical arrangement options to consult a resource offered by theNational Institute of Standards and Technology; SP 800-145, The NIST DefiIof CloudComputing-PDFThe HIPAA Privacy, Security, and Breach Notification Rules(the HIPAA Rules)establishinformation or phited, received, maintained, or transmitted by a HIPAA coveredity or business associate), including limitations on uses and disclosures of such informationsafeguardsappropriate uses and disclosures, and individuals rights with respecteir health information Covered entities and business associates must comply with theapplicable provisions of the HIPAA Rules A covered entity is a health plan, a health careclearinghouse, or a health care provider who conducts certain billing and payment relatedtransactions electronically a business associate is an entity or person, other than a member othe workforce of a covered entity, that performs functions or activities on behalf of, or provideertain services to, a covered entity that involve creating, receiving, maintainPHI a business associate also is any subcontractor that creates, receives, maintains, or transmiton behalf of another business associateWhen a covered entity engages the services of a CSP to create, receive,ePHI (such as to process and/or store ePHI), on its behalf, the Csp is a business associate under
HIPAA Further when a busiociate subcontracts with a csP to createor transmit ephi on its behalf the csp subcontractor itself is a business associate This is trueeven if the csp processes or stores only encrypted ePHI and lacks an encryption key for the dataLacking an encryption key does not exempt a CSP from business associate status and obligations(or business associate)and the csPHIPAAgiant b(BAA), and the Csp is bothcontractually liable for meeting the terms of the baa and directly liable for compliance with theapplicable requirementsHIPAA Ruless guidance presents key questions and answers to assist HIPAa regulated CSPs and theirustomers in understanding their responsibilities under the hiPaa rules when they creatreceive, maintain or transmit ePHI using cloud products and servicesMay a HIPAa covered entity or business associate use a cloudPHIded the covered entity or business associate enters into a HIPAA-compliant businessassociate contract or agreement(BAA)with the CsP that will be creating, receivingmaintaining, or transmitting electronic protected health information(ePHi)on its behalf, andtherwise complies with the HIPAa Rules Among other things, the BAa establishes thetted and required uses and disclosures of ePHi by theate performingctivities or services for the covered entity or business associate, based on the relationshipbetween the parties and the activities or services being performed by the business associate TheBAA also contractually requires the business associate to appropriately safeguard the ePHIcluding implementing the requirements of the Security Rule
OCr has created guidance on theelements of BAAs 2A covered entity (or business associate) that engages a CSP should understand the cloudcomputing environment or solution offered by a particular CSP so that the covered entity(orbusiness associate) can appropriately conduct its own risk analysis and establish risknagement policies, as well as enter into appropriate BAAs See 45 CFR SS164308(a(1(i)(A): 164308(a)(1(i1)(B); and 164502 Both covered entities and businessssociates must conduct risk analyses to identify and assess potential threats and vulnerabilitiesto the confidentiality, integrity, and availability of all ePHI they create, receive, maintain, orransmit For example, while a covered entity or business associate may use cloud-base
ly configuration(public, hybrid, private, etcters into a baa withthe csP, the type of cloud configuration to be used may affect the risk analysis and riskmanagement plans of all parties and the resultant provisions of the baaIn addition, a Service Level Agreement (SLA)[4 is commonly used to address more specifictations between the csp andalso may be relevant to HIPAAcompliance For example, SLAs can include provisions that address such HIPAA concerns asSystem availabilityck-up and data recovery(e g, as necessary to be able to respond to a ransomware attack orMannerhich data will be returned to the customer after service use terminationecurity responsibility; andUse retention and dif a covered entity or business associate enters into a sla with a csP it should ensure that theterms of the sla are consistent with the baa and the HIPAa rules For example, the coveredentity or business associate should ensure that the terms of the sla and baa with the csp depreventolation of45CFR§§164
308(b)(364502(c)(2),andl64504(e)(1)[6addition to its contractualations, the CsP, as a business associate, has regulatorybligations and is directly liable under the hipaa rules if it makes uses and disclosures of Pht are not authorized by its contract, required by law, or permitted by the privace A CSPa business associate, also is directly liable if it fails to safeguard ePHI in accordance with theSecurity Rule, or fails to notify the covered entity or business associate of the discovery of abreach of unsecured phi in compliance with the breach notification riFor more information about the Security rule, see OCr and onc toolsOCR guidance on SR compliance [18
2 If a CSP stores only encrypted ePhI and does not have a decryption key, is it a HIPAAYes band maintains(e g, to process and/or store)electronic protectedhealth information (ePhld coveed entity or another business associate Lacking anencryption key for the encrypted data it receives and nns doesCSP frobusiness associate status and associated obligations under the HIPAA Rules An entity thatmaintains ePHI on behalf of a covered entity (or another business associate)is a businesshe ephi
9 Thus, a csp thaencrypted ePHl on behalf a covered entity(or another business associate)is a business associate,convenience purposes this guidance uses the term no-viewservices to dewhich the CSP maintains encrypted ePhI on behalf of a covered entity(or another businessssociate)without having access to the decryption keyWhile encryption protects epHi by significantly reducing the risk of the information beinviewed by unauthorized persons, such protections alone cannot adequately safeguard thetiality, integrity, and availability of ePHI as required by the Securitydoes not maintain the integrity and availability of the ePhas ensuring that the informationis not corrupted by malware, or ensuring through contingency planning that the data remainsavailable to authorized persons even during emergency or disaster situations Further, encryptiondoes not address other safeguards that are also important to maintaining confidentiality, such asadministrative safeguards to analyze risks to the ePHl or physical safeguards for systems andervers that may house the ePhIAs a business associate, a CSP providing no-view services is not exempt from any otherwiseapplicable requirements of the HIPAA rules However, the requirements of the rules areflexible and scalable to take into account the no-view nature of the services provided by the cspSecurity rule considerationsAll CSPs that are business associates must comply with the applicable standards andimplementation specifications of the Security Rule with respect to ePHI However, in caseswhere a CsP is providing only no-view services to a covered entity(or business associatebe satisfied for both parties through the actions of one of the parties In particula