UnitedHealthcare is focused on protecting customer and member information. As technology changes, we provide information about how best to use that technology to avoid data risks – in this case Cloud Service Providers (CSP). Beginning August 17, 2018, agents may use cloud services to store documents containing Protected Health Information (PHI), using the guidelines below.
What you need to know
The Department of Health and Human Services (HHS) has provided detailed cloud computing guidance for HIPAA Covered Entities and Business Associates. Learn more
What you need to do
- You can use a cloud service to store or process PHI; however, you must have a HIPAA-compliant business associate contract or agreement (BAA) with the CSP.
- TIP: Be sure to specifically ask your CSP to enter into a HIPAA-compliant BAA, because even the most well-known companies may not include this in their standard or free service agreements.
- You must conduct risk analyses to identify and assess potential threats and vulnerabilities to protected information.
- TIP: Be sure to evaluate and document the risks involved with sharing protected information with a CSP to make sure you have the proper technical safeguards to combat the risks.
Why you should care
Following these guidelines and best practices does two things:
- It helps protect customer and member information.
- It keeps you compliant with your UnitedHealthcare contractual and HIPAA data protection requirements.
The following organizations have established best practices for cloud computing which can supplement the HHS guidance.