Introduction

This article describes the following:

• Your responsibilities for Virginia Tech's Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP) environments when using them for Electronic Protected Health Information (ePHI)
• Your responsibilities regarding the confidentiality, integrity, and availability of ePHI in these environments
• Your part of shared governance for ePHI, Azure, AWS, GCP, and the Health Insurance Portability and Accountability Act (HIPAA)

Explanation

Virginia Tech's Azure, AWS, and GCP environments are approved for use with ePHI; however, before you begin to use them to store or process this type of data, you must meet the following obligations outlined in the shared governance information below.

Your Obligations

Understand your obligation to keep ePHI confidential1 and to protect the privacy of the patients that it represents Have approval to create, receive, maintain, or transmit the ePHI from Scholarly Integrity and Research Compliance (SIRC, https://www.research.vt.edu/sirc.html) and the Office of Sponsored Programs (OSP, https://osp.vt.edu) Limit access to the data ONLY to those who are approved by SIRC or OSP Have completed a Privacy and Research Data Protections Consult (PRDP, https://internal.research.vt.edu/form/prdp-consultation-request-form) and the required training Report any unusual, suspect, or intentionally malicious activity regarding the environment immediately upon discovery to the Information Technology Security Office (ITSO, https://security.vt.edu) Be compliant with state and federal regulations regarding the use of ePHI (https://www.hhs.gov/hipaa/for-professionals/index.html, https://law.lis.virginia.gov/vacodepopularnames/personal-information-privacy-act/) Be compliant with all relevant university policies and procedures (https://policies.vt.edu)

Microsoft's Obligations

Microsoft's obligations are outlined in the Business Associate Agreement (BAA) with Virginia Tech (https://wwlpdocumentsearch.blob.core.windows.net/prodv2/HIPAABusinessAssociateAgr(WW)(ENG)(June2019)(CR).docx?sv=2020-08-04&se=2021-10-08T20:09:44Z&sr=b&sp=r&sig=HXa%2FgaRKPvI8CJZ9nOn9PS42nN7HXHNkT4vBiK0tZok%3D)

Amazon's Obligations

Amazon's obligations are outlined in the Business Associate Agreement (BAA) with Virginia Tech (Contact CCS for details)

Google's Obligations

Google's obligations are outlined in the Business Associate Agreement (BAA) with Virginia Tech (https://gsuite.google.com/terms/2015/1/hipaa_baa.html)

Collaborative Computing Solutions' (CCS) Obligations

Licensing, secure authentication, and support of Virginia Tech's AWS, GCP, and Azure Services

¹ Confidentiality means the property that data or information is not made available or disclosed to unauthorized persons or processes (HIPAA, Section 164.304)

Additional information regarding the use of ePHI at Virginia Tech can be found at:

• SIRC
• Privacy and Research Data Protections Consult form
• OSP
• HIPAA for Professionals
• BAA
• Personal Information Privacy Act
• VT Policies
• ITSO
• Microsoft Trust Center
• Human Research Protection Program
• HIPAA Compliance with Google Workspace and Cloud Identity
• HIPAA Compliance and Google Cloud
• HIPAA Compliance and Amazon Web Services

Note:

It is the intent of Virginia Tech to maintain an environment in a way that promotes ethical, compliant, legal, and responsible conduct in all activities by users regarding ePHI. Any items within this article do not supersede, negate, or undermine any policies, rules, or obligations set forth by state/federal regulations or Virginia Tech.