The Department of Health and Human Services’ Office of Civil Rights (OCR) has issued guidelines for HIPAA-covered entities that utilize cloud computing in processing electronic protected health information (ePHI). The increased use of cloud computing when HHS is stepping up enforcement makes this particularly timing.

The document is lengthy, and is worth reading in its entirety. But five highlights that struck us are:

Overall, the OCR guidance continues to indicate regulatory flexibility in enforcement. On the plus side, this enables covered entities and business associates to exercise discretion in determining the appropriate level of safeguards for themselves. On the negative side, this flexibility comes at a cost: guidelines are recommended, but adherence offers no guarantees. In HIPAA enforcement, as in many others, in the words of Justice Oliver Wendell Holmes, Jr., “the life of the law has not been logic; it has been experience.”

Physical Address: 301 Fayetteville Street, Suite 1900, Raleigh, NC 27601 | © Poyner Spruill LLP. All rights reserved.

◀︎ Back to Thought Leadership
What you Need to Know

Read Related Articles