In recent guidance, HHS expanded (HHS officials would probably prefer, "clarified") the obligations of HIPAA covered entities, including employer-sponsored group health plans, and their business associates with respect to cloud computing. The bottom line is that whenever a cloud service provider has electronic protected health information (ePHI), it becomes a business associate (if the relationship was with the health plan or employer) or subcontractor to a business associate (if the relationship is with the health plan's consultant or vendor).

Why Is it Important if Cloud Computing Vendors Are Business Associates?

All health plans that have any kind of access to PHI must have a business associate agreement with any person or entity deemed a business associate. Likewise, all business associates must have a similar contract with their vendors that have access to PHI. Here's the wrinkle, though: HHS said that a vendor has "access" to ePHI even if the cloud provider only stores encrypted ePHI and does not have the encryption key. Think about that for a minute. Without the encryption key, you can't access the data. HHS doesn't agree, though, so them's the rules.

With Whom Might I Need a BAA under this Clarification?

Look to all places where any health plan data might be stored or used, in particular the data systems of the HR staff who carry out health plan activities. If there's a cloud service involved, chances are you'll need a BAA with that vendor. Here's a list you can use to start brainstorming.

1. Offsite data server or backup maintained by a third party disaster recovery firm
2. Cloud productivity products like G Suite (formerly Google Apps), Office 365, Dropbox, Evernote
3. Outsourced IT support firm
4. Cloud-based HR information systems that might store claims information, EOBs, etc.

Some cloud computing service providers are on the ball. Others are not. We've done a little research, and here's what we found:

• Here are some of Microsoft's thoughts on the subject of HIPAA compliance. In classic Microsoft style, it's only understandable by IT folk.
• Google will provide something resembling a BAA. See here.
• According to this, Evernote apparently is not willing to entertain BAAs.
• Dropbox will provide a BAA. Start here.

In addition to examining your health plan's vendors, it's important to note that business associates themselves must have something like a BAA in place with their cloud computing vendors. Almost nobody these days owns their hosting servers, so it's a good bet that the business associates of health plans will need HIPAA-compliant contracts in place with their subs. It would be worth the couple of minutes it takes to write an email to ask if they do.