%20Logos%202022/sharetru-white-logo.svg){kind=logo}
Why Sharetru?
Platform
Cloud computing changes the dynamics of certain parts of HIPAA's Security requirements. In a cloud computing scenario, most security activities occur in partnership between vendor and client -- in other words, while ultimate responsibility for compliance always resides with your company, the actual implementation of certain operational aspects of security occur at the business associate cloud provider. One easy way to maintain compliance is a business associate contract.
If your company determines that a business associate contract is necessary, the next question is what should be in it. Of course, all required elements of both the HIPAA Privacy and Security Rules should be included. These include provisions related to:
• Uses and disclosures of PHI;
• Facilitation of patient rights to access or amend their own PHI in a designated record set (if the cloud provider will have designated record set information, e.g., information used in whole or in part to make decisions about patients);
• Patients’ right to receive an accounting of certain disclosures (including such disclosures by business associates);
• Safeguarding of PHI;
• Access of HHS to records during an HHS investigation of HIPAA compliance;
• Restrictions for agents or subcontractors who receive PHI;
• Notification requirements for impermissible uses or disclosures or security incidents at the cloud provider involving the PHI;
• Termination provisions, including how PHI will be handled at contract termination (e.g., returned, destroyed, or maintained by the cloud provider subject to continuing restrictions); and
• Whether the cloud provider may use or disclose PHI for its own administration and management or perform certain data aggregation services (optional – the covered entity need not permit the cloud provider to do so).
