September 20, 2020

Volume X, Number 264

September 18, 2020

Subscribe to Latest Legal News and Analysis

September 17, 2020

Subscribe to Latest Legal News and Analysis

Office for Civil Rights Clears Air with Cloud Guidance

Covered entities and business associates alike should take a close look at the latest federal Cloud Guidance and an even closer look at their relationships with cloud vendors - particularly given that the Office for Civil Rights (OCR) has made it abundantly clear that it does not hesitate to enforce against entities that impermissibly disclose Protected Health Information (PHI) to vendors without satisfactory assurances in place.

In the past year, the Department of Health and Human Services, OCR has issued a number of guidance documents* to clarify its interpretation of key requirements set forth in the HIPAA Privacy and Security Rules (45 C.F.R. Part 160, 162, and 164; collectively, “the HIPAA Rules”). Its latest guidance (the Cloud Guidance) clarifies OCR’s position on cloud service providers (CSPs) as business associates, and the related requirements under the HIPAA Rules through a series of FAQs. Importantly, the Cloud Guidance applies to all CSPs equally, regardless of the level of functionality or services provided (e.g., the provision of an electronic medical record system on the cloud, versus limited application hosting).

OCR kicked off the Cloud Guidance by clarifying its position on an issue that Covered Entities and CSPs have continued to debate for quite some time: whether a CSP is a business associate if the PHI that is stored in its cloud is encrypted and the CSP does not possess the encryption key.

To learn more about this issue, please click here.

© Polsinelli PC, Polsinelli LLP in CaliforniaNational Law Review, Volume VI, Number 294


About this Author

Lisa J. Acevedo, Polsinelli, HIPAA Compliance Lawyer, Health Privacy Matters Attorney

Lisa Acevedo provides strategic counsel in the areas of federal health privacy laws, including HIPAA, as amended by the HITECH Act, FERPA, the Confidentiality of Alcohol and Drug Abuse Treatment Records Regulation, as well as state laws governing the confidentiality of health information, medical records, mental health records, and records containing other highly sensitive information. She has assisted clients through security breaches and the notification process, both at the federal and state levels.   

She guides clients through the...

Erin Fleming Dunlap, Polsinelli, Compliance Matters Attorney, Health Insurance Portability Lawyer,

Erin Dunlap is proactive and quick to respond to clients' needs. She regularly advises health care clients on legal and regulatory compliance matters. She also has a litigation background that enables her to assist clients when things do not go as planned, such as when a laptop containing patient information is stolen, a patient threatens to sue for improper disclosure, or law enforcement demands the production of medical records. 

Erin focuses primarily on privacy and security issues arising under:

  • Health Insurance Portability and Accountability Act

  • Health Information Technology for Economic and Clinical Health Act

  • Federal Regulation 42 CFR Part 2

  • State privacy and breach notification laws 

Daniel L. Farris, Polcinelli PC, fiber optic networking Lawyer, data center operations attorney, Chicago

As a former software engineer and network administrator in the telecommunications industry, Daniel offers his clients real-world experience in fiber optic networking, data center operations, cloud computing, mobile app development, and data privacy and security matters.  His practice is founded upon understanding how technology can strengthen and expand the core mission of his clients’ businesses.

Lisa Katz, Polsinelli Law Firm, Health Care Attorney

Lisa Katz uses her passion in law to bring a unique hybrid skill set in both the health care transactional and regulatory compliance space, as well as the financial services industry. On behalf of Lisa's healthcare provider clients, she interprets a broad range of regulatory and corporate compliance issues. These include:

  • Privacy and security of health information

  • Medicare and Medicaid reimbursement

  • Licensing and fraud

  • ...

Katie Kenney specializes in HIPAA/HITECH issues and delivers particular strength in privacy, security, and breach regulatory issues for covered entities and business associates.  Prior to joining the firm, Katie worked for the U.S. Department of Health and Human Services, Office for Civil Rights (OCR).  At OCR, she served as the subject matter expert for breach notification, assisted in the administrative rulemaking process, drafted Preamble language for the recently published Omnibus Rule amending HIPAA, and actively participated on OCR’s audit team.  Katie’s time at...