I wanted to pass along the link to the HHS Guidance on HIPAA and Cloud Computing: https://www.hhs.gov/hipaa/for-professionals/special-topics/cloud-computing/index.html
Question:
I wanted to pass along the link to the HHS Guidance on HIPAA and Cloud Computing:
https://www.hhs.gov/hipaa/for-professionals/special-topics/cloud-computing/index.html
Please take some time to review this very helpful Guidance. Now, when a business associate subcontracts with a cloud service provider (CSP), does the CSP become a business associate under HIPAA? Does the outcome in that regard seem fair to you? Why or why not? Also, assume that a BA subcontracts with a CSP only to store encryptedePHIand does not provide the CSP with the encryption key for the encrypted data. Under those circumstances, is the CSP still deemed to be a business associate under HIPAA? What reasons can you articulate that would support considering the CSP a BA under those circumstances? Can you identify any reasons that it would be unfair and unreasonable to consider the CSP a BA under those circumstances? Do you think the potential security and privacy protections of HIPAA compliance by a subcontractor CSP who is provided only with encryptedePHIjustify the costs to that subcontractor? Why or why not?
Finally, what is a service level agreement (SLA)? What is the purpose of a SLA? If a business associate enters into a SLA with a cloud service provider, do the parties still need to execute a business associate agreement (BAA) to be HIPAA compliant? If so, why? Thoughts?
Business Communication Essentials a skill based approach
ISBN: 978-0132971324
6th edition
Authors: Courtland L. Bovee, John V. Thill