If a CSP receives and maintains only information that has been de-identified in accordance with the HIPAA Privacy Rule, is it is a business associate?
No. A CSP is not a business associate if it [...]
Do the HIPAA Rules require CSPs that are business associates to provide documentation, or allow auditing, of their security practices by their customers who are covered entities or business associates?
No. The HIPAA Rules require covered entity and business [...]
Do the HIPAA Rules allow a covered entity or business associate to use a CSP that stores ePHI on servers outside of the United States
Yes, provided the covered entity (or business associate) enters into [...]
Do the HIPAA Rules require a CSP to maintain ePHI for some period of time beyond when it has finished providing services to a covered entity or business associate
No, the HIPAA Rules generally do not require a business [...]
Do the HIPAA Rules allow health care providers to use mobile devices to access ePHI in a cloud?
Yes. Health care providers, other covered entities, and business associates [...]
If a CSP experiences a security incident involving a HIPAA covered entity’s or business associate’s ePHI, must it report the incident to the covered entity or business associate?
Yes. The Security Rule at 45 CFR § 164.308(a)(6)(ii) requires [...]
What if a HIPAA covered entity (or business associate) uses a CSP to maintain ePHI without first executing a business associate agreement with that CSP?
If a covered entity (or business associate) uses a CSP [...]
Which CSPs offer HIPAA-compliant cloud services?
OCR does not endorse, certify, or recommend specific technology or [...]
Can a CSP be considered to be a “conduit” like the postal service, and, therefore, not a business associate that must comply with the HIPAA Rules?
Generally, no. CSPs that provide cloud services to a covered [...]
If a CSP stores only encrypted ePHI and does not have a decryption key, is it a HIPAA business associate?
Yes, because the CSP receives and maintains (e.g., to process [...]