Updated 2025: Looking for a Business Associate Agreement? Download our FREE template.

Free BAA Download
Total HIPAA Logo

HIPAA and Cloud Computing

On October 7, 2016, HHS released a guidance on HIPAA and cloud computing.¹ As the use of cloud computing continues to grow, it is important for HIPAA covered entities and their Cloud Service Providers (CSPs) to understand how they can use cloud computing while still following HIPAA rules and regulations put in place to protect ePHI.

What is cloud computing?

Cloud computing is defined by IBM as “the delivery of on-demand computing resources—everything from applications to data centers—over the Internet on a pay-for-use basis.”² Many of the applications we use every day are cloud computing services. For example, Google Drive, iCloud, Dropbox, and Netflix all use the cloud.

How can cloud computing be used?

Some common uses of cloud computing are:

  • Storing and retrieving files
  • Disaster recovery
  • Unlimited backup space

Can cloud computing be used by HIPAA covered entities/business associates?

HHS has determined that HIPAA covered entities and business associates are permitted to use cloud computing to store and process ePHI as long as they have a Business Associate Agreement (BAA) with the CSP. This agreement would make the CSP responsible for safeguarding ePHI in compliance with the HIPAA Security Rule.

Even if the CSP is only used for storing encrypted data with no access to the decryption key, the CSP is still a business associate because it is receiving and maintaining ePHI for a covered entity or business associate. Encryption does not completely protect ePHI. For example, the information is still vulnerable to natural disasters or malware attacks. It is up to the CSPs to protect this information because they are storing it.

Relationship between Cloud Service Providers and HIPAA covered entity

While there is a conduit exception in which a business like the postal service or phone service provider would not be considered a business associate that has to comply with HIPAA, this exception does not apply to CSPs. This exception is for services that only transmit PHI and CSPs store PHI.

A CSP is considered a business associate of the covered entity whose ePHI it creates, receives, maintains or transmits. Thus, a CSP and the HIPAA covered entity are to enter a BAA. CSPs are then responsible under the Security Rule for protecting ePHI by implementing controls that limit access to the information. Additionally, HHS Office for Civil Rights (OCR) states that the BAA must include provisions requiring the CSP to make PHI available as necessary to the HIPAA covered entity.

Like any other business associate, CSPs need to alert the HIPAA covered entity of any security incident involving their PHI. Business associates must also respond to the security incident and attempt to fix it to the best of their ability. OCR states “a business associate CSP must implement policies and procedures to address and document security incidents, and must report security incidents to its covered entity or business associate customer.”¹ Use the BAA to specify the level of detail, such as how soon a breach must be reported to the covered entity. Though, it is not up to the CSP alone to protect PHI. CSPs as business associates and covered entities share the responsibility of protecting PHI.

What we recommend for a Security Plan for cloud computing:

Putting ePHI in the hands of a 3rd party requires careful selection of which CSP you want to choose. HHS does not endorse or recommend specific products. However, we suggest you complete these 6 HIPAA compliance tasks before selecting the right CSP for your organization.

  1. Risk Assessment: Does your provider meets all of your HIPAA protocols?
  2. Business Associate Agreements: Does the cloud provider understand the need to backup data, protect the integrity of the information and have it available 24/7.
  3. Encryption Standards: What standard do they use? Your provider should use a minimum of 128-bit encryption and encrypt all files in transit, storage and at rest.
  4. Logging: Can your CSP produce a log of who accessed what files when?
  5. Access Levels: Can your provider allow you to designate access levels for information?
  6. Audit Report: Can your CSP produce an annual HIPAA audit report conducted by a reputable third party that you can review?

BAAs and requirements

HHS states that using a CSP to maintain ePHI without first signing a BAA is in violation of HIPAA. Since CSPs either receive, maintain, or transmit ePHI on behalf of a covered entity or business associate, they are considered a business associate or a business associate subcontractor and it is your responsibility to be sure the CSP is in compliance with HIPAA. The CSP must either come into compliance with HIPAA Rules or securely return the ePHI to the customer if requested.

Privacy Rule states that a BAA must require a business associate to return or destroy all ePHI at the termination of the agreement.” Since the CSP is not required to maintain the data beyond the time specified in their agreement the covered entity is responsible to offload any data needed before the agreement terminates.

HIPAA does not require a business associate CSP to provide documentation of its security practices, but the CSP is directly liable for failing to safeguard ePHI in accordance with the Security Rule. However, customers can require documentation of safeguards through the BAA. The business associate CSP is responsible for implementing reasonable and appropriate controls to protect the ePHI it maintains.

Additionally, if a CSP experiences a security problem with the covered entity’s or business associate’s ePHI, the CSP is responsible for reporting this security incident to the covered entity or business associate. If a business associate discovers a breach, they must provide notification without unreasonable delay and not later than 60 days after discovery of the breach. A business associate CSP must have policies and procedures in place to address, document, and report security concerns.

HIPAA rules do allow covered entities and business associates to use a CSP from outside the US as long as a BAA is entered with the business associate CSP. However, outsourcing these services abroad often include increased risks to the ePHI. When covered entities and business associates complete their risk analysis, these security risks should be taken into consideration.

Access to the cloud

HHS has permitted health care providers, business associates, and covered entities to access ePHI through the cloud on mobile devices. As long as safeguards are put in place, both on the mobile device and the cloud, to protect the ePHI. For mobile device access, BAAs should also be in place with third party providers for the device as well as for the cloud services.

It is also required that business associate CSPs always make the information available to the covered entity or business associate whose ePHI they maintain even in the event of a disaster situation.

One exception: de-identified information

A CSP is not a business associate if it receives and maintains (e.g., to process and/or store) only information de-identified following the processes required by the Privacy Rule.” HHS provides guidance for de-identification of PHI in accordance with the HIPAA Rule here.

Conclusion

Cloud computing is a cost-effective solution for storing and securing ePHI. The use of cloud storage is continuing to grow in businesses that control or generate PHI. So, it is important to understand how to safely use these third party CSPs for storage of ePHI. If used properly, cloud storage can be a huge advantage for your organization by saving you time and money.

The main take away from this guidance by HHS is to make sure there is a BAA in place to protect ePHI before storing data with a CSP. When entering into a BAA with a CSP, include agreements on reporting, access, and rules for maintaining ePHI. As the use of cloud services continues to grow, understanding the relationship between the covered entity or business associate and the CSP is extremely important to the protection of ePHI.

  1. http://www.hhs.gov/hipaa/for-professionals/special-topics/cloud-computing/index.html
  2. https://www.ibm.com/cloud-computing/what-is-cloud-computing

Sharing is caring!

Documents

Looking for a Business Associate Agreement?

Download our free template to get started on your path toward HIPAA compliance.


Download Now

Want to stay informed?

Join our community, stay ahead of the curve on HIPAA compliance and receive free expert guidance.

State of HIPAA Compliance in 2025

Watch the recording of this webinar to learn more about how you can become and stay HIPAA compliant!

Document
Register for Webinar

Related Posts

Essential Guide to Email Authentication and Deliverability: How to Configure DMARC, SPF, and DKIM Records

Essential Guide to Email Authentication and Deliverability: How to Configure DMARC, SPF, and DKIM Records

Essential Guide to Email Authentication and Deliverability: How to Configure DMARC, SPF, and DKIM Records
*This process is technical and requires access to your Domain Name Server (DNS). It’s recommended to have an IT professional handle these configurations to avoid potential issues. If you proceed yourself, back up your current settings with screenshots or copies before making any changes.
Organizations rely heavily on email for marketing and communication, making it a prime target for malicious actors. Phishing, spoofing, and other email attacks can inflict significant financial and reputational damage. In response to this growing threat, email providers are tightening their security measures, and businesses that aren’t paying attention risk having their emails blocked.
A recent announcement from Microsoft, highlighted in their Tech Community blog, highlights that Outlook is implementing stricter requirements for high-volume senders to protect users from unwanted and potentially harmful messages. This move serves as a clear signal: email authentication is no longer optional – it’s required for all organizations, regardless of their sending volume.
The key to making sure your emails reach their intended recipients is all in the configuration and alignment of your Domain-based Message Authentication, Reporting and Conformance (DMARC), Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM) records. These protocols verify an organization actually sent the emails and tells receiving servers your messages are legitimate and shouldn’t be sent to spam folders or blocked.
What makes SPF, DKIM, and DMARC so crucial?
SPF (Sender Policy Framework): This record lists the authorized mail servers permitted to send emails on your behalf. When your email server receives an email, it checks it and verifies if the sending server’s IP address matches the list in your SPF record. This helps prevent attackers from spoofing your domain using unauthorized servers.
DKIM (DomainKeys Identified Mail): DKIM adds a digital signature to your outgoing emails. This signature is cryptographically linked to your domain and verified by the receiving server using a public key published in your DNS records. DKIM ensures the integrity of the email content and confirms that it hasn’t been tampered with in transit.
DMARC (Domain-based Message Authentication, Reporting & Conformance): DMARC builds upon SPF and DKIM. It tells receiving servers what to do with emails that fail SPF and/or DKIM checks. You can set policies to “none” (monitor), “quarantine” (send to spam), or “reject” (block). DMARC also enables reporting, allowing you to gain valuable insights into who sends emails using your domain and identify potential spoofing attempts.
Microsoft’s Stance: A Wake-Up Call
The stricter requirements being implemented by Outlook for high-volume senders emphasize the need for organizations to set up and review their authentication protocols. While the current focus is on high-volume senders, it is clear: email providers are looking for authenticated mail. Failing to correctly set up your DMARC, SPF, and DKIM records will lead to deliverability issues of emails.
What Your Company Needs to Do Now:
Regardless of size or email volume, every company should take the following steps to make sure its email authentication is configured correctly. Here’s a checklist:
Audit Your Existing Records: Check for existing SPF, DKIM, and DMARC configurations. Are they accurate and up-to-date?
Implement Missing Records: If you are missing any of these records, add them immediately. *Consult with your IT team or email service provider for guidance.
Check Alignment: It’s crucial to make sure there is alignment between your SPF, DKIM, and DMARC records. This means that the domain used for SPF and the signing domain in DKIM should match the “From” address domain in your emails. DMARC relies on this alignment to function effectively.
Start with a Monitoring Policy: For DMARC, it’s often best to start with a “none” policy to monitor how your emails are being handled and identify any legitimate sending sources that might not be properly authenticated.
Gradually Enforce Stronger Policies: Once you clearly understand your email flows and have addressed any authentication issues, move gradually towards stronger DMARC policies like “quarantine” or “reject” to protect your domain from spoofing actively.
Regularly Review and Update: The email landscape is constantly changing. Regularly review and update your authentication records as needed, especially when changing your emails or third-party sending services.
The Benefits of Proper Email Authentication:
Properly configuring and aligning your DMARC, SPF, and DKIM records offers significant benefits:
Improved Email Deliverability: Your legitimate emails are more likely to reach the inbox, avoiding spam folders and blocks.
Enhanced Brand Reputation: Protecting your domain from spoofing builds trust with your recipients and safeguards your brand’s reputation.
Increased Security: You significantly reduce the risk of using your domain for phishing and other malicious activities.
Compliance with Evolving Standards: By staying ahead of the curve, you ensure your email practices align with the increasingly stringent requirements of email providers.
The message is clear: email authentication is no longer optional. The recent emphasis from major providers like Microsoft underscores its critical importance in maintaining reliable and secure email communication. By taking the steps to audit and align your DMARC, SPF, and DKIM records, your organization can protect itself, customers, and reputation. Don’t wait until your emails are blocked – act now to secure your email.
Have questions or need help with your HIPAA compliance? Schedule a call with our experts today. https://www.totalhipaa.com/get-started/
To check your DMARC Records go here
https://www.totalhipaa.com/dmarc-lookup-free/
All records, a free and easy tool to use
https://easydmarc.com/

Save & Share Cart
Your Shopping Cart will be saved and you'll be given a link. You, or anyone with the link, can use it to retrieve your Cart at any time.
Save Cart & Generate Link
Send Cart in an Email Done! close
Empty cart. Please add products before saving :)

Back Save & Share Cart
Your Shopping Cart will be saved with Product pictures and information, and Cart Totals. Then send it to yourself, or a friend, with a link to retrieve it at any time.
Send Cart Email
Your cart email sent successfully :)