Today, HHS Office of Civil Rights released guidance to clarify HIPAA obligations for companies storing and sharing health information in the cloud. This comes after a 2014 pledge to Congress from HHS Secretary Sylvia Burwell to work with ACT | The App Association and its Connected Health Initiative to make the regulatory environment better for connected health companies. In response, Morgan Reed, executive director of ACT | The App Association and president of the Connected Health Initiative released the following statement:
The Office of Civil Rights (OCR) provided much-needed clarity around several outstanding questions regarding the cloud services that we as consumers rely on every day. In particular, we are glad to see affirmation that cloud computing can be used with electronic protected health information.
We were particularly interested in OCR’s clarification that even if the cloud service provider stores encrypted data and does not have a decryption key, it must still sign business associate agreements. Companies that fall under the newly created term, “no-view service provider,” will face compliance questions around access which must be resolved.
Of course, further outstanding HIPAA questions remain as well. For example, there is still a lack of clarity around texting and messaging, which are central to patients’ and physicians’ lives. We look forward to working with OCR on these important issues.