Can I use third-party cloud storage services that collect personal information in Kentucky? What are the requirements?

Answer

Yes, you can use third-party cloud storage services that collect personal information in Kentucky, but you must comply with certain requirements.

According to ^[2], a HIPAA covered entity or business associate may use a cloud service to store or process ePHI, provided the covered entity or business associate enters into a HIPAA-compliant business associate contract or agreement (BAA) with the cloud service provider (CSP). The BAA must ensure that the CSP will appropriately safeguard the confidentiality, integrity, and availability of the customer’s ePHI. The CSP and the customer should each confirm in writing, in either the BAA or other documents, how each party will address the Security Rule requirements.

Additionally, ^[3] states that entities must ensure that their third-party cloud provider complies with the Tax Information Security Guidelines through a legally binding contract or SLA. The contract or SLA should include provisions for data isolation, which means that the software and/or services that receive, transmit, or store tax information must be logically or physically separated from other software and/or services.

Therefore, if you want to use third-party cloud storage services that collect personal information in Kentucky, you must ensure that the cloud service provider complies with the relevant regulations and guidelines, and that you have a legally binding contract or agreement with the provider that includes provisions for safeguarding the confidentiality, integrity, and availability of the data, as well as data isolation.

Source(s):

• [2] Cloud Computing | HHS.gov
• [3] Publication 1075 - Tax Information Security Guidelines

Jurisdiction

Kentucky

• Privacy