Cloud computing has recently enabled the computer user to access several different computing resources from remote locations. Cloud computing essentially provides remote access to shared computing resources such as networks, servers, storage devices, and applications.
Before instituting a Cloud device in the workplace setting, employers should be aware of the HIPAA privacy issues which may be unique to Cloud computing. Unique security settings should be evaluated and emplaced to ensure that a Covered Entity is complying with the requirements of HIPAA. Furthermore, issues arise as to whether a business associate agreement should be entered into with the Cloud service provider.
The Health and Human Services Commission generally requires a business associate contract when a covered entity uses a contractor or other non-workforce member to perform “business associate” services or activities; the Rule requires that the covered entity include certain protections for the information in a business associate agreement (in certain circumstances governmental entities may use alternative means to achieve the same protections).
Several issues have arisen as to whether the Cloud provider needs to enter into a business associate agreement with the Covered Entity. The US Department of Health and Human Services has not provided any guidance on this subject. However a Covered Entity may be considered a business associate with a Covered Entity if it either:
- Performs or assists in performing functions or activates for a Covered Entity that involves the use or disclosure of Protected Health Information (“PHI”); or
- Provides certain kinds of services that necessarily involve the disclosure of PHI.
Essentially, what an employer needs to look to is the type of Cloud device it is going to use and what kind of access that Cloud provider will have to PHI. The more access the provider has, the more likely the Covered Entity and the provider need to enter into a business associate agreement.
The good news is that Cloud providers generally provide resources to customize the access options for the clients of the Cloud service. As such, a covered entity should consult with in-house IT department or contact outside personnel in order to properly assess whether the PHI is free from remote access by unauthorized users. It is also of paramount important the service provider’s access to PHI be understood before engaging in the use of the Cloud.
If you have any questions about the technology and privacy issues for your business, please do not hesitate to contact a member of Underwood’s Employment Law Section.
This column is published for informational purposes only. It should not be construed as legal advice and is not intended to create an attorney client relationship. The views expressed are those of the author and do not necessarily reflect the views of the author’s law firm or its individual partners.