Developers and HIPAA

Unencrypted PHI in the Cloud

From Kevin Wiggins, Saul Ewing: If a CE puts PHI on the Cloud and later terminates that Cloud as a service provider, there is inevitably some data remanence, thus leaving PHI on the Cloud. NIST Special Publication 800-80 addresses this by suggesting CEs use crypto-erase. What if the CE previously sent unencrypted PHI to the Cloud? Is it as simple as extending the protections of the contract to the information and limiting further uses and disclosures to those purposes that make the return or destruction of the information infeasible?

Tags (If you have a multi-word tag, add a hyphen (-) between the words.)

Voting

1 vote
1 up votes
0 down votes
Answered Questions
Question No. 33