What do I need to consider before using Cloud Services for any RI, including PHI?

Frequently Asked Questions

Cloud Services What do I need to consider before using Cloud Services for any RI, including PHI? A HIPAA Business Associate Agreement (BAA) must be in place before storing UCLA PHI in the cloud. For Restricted Information for research subjects, employees, students, etc. that is not PHI, Data Security Agreements must to be in place. To further protect confidential UCLA information, a UCLA Purchasing Agreement may also be needed. Providers of free Cloud services generally have declined to sign the above Agreements so always check first with the Office of Compliance Services (InfoSecAll@mednet.ucla.edu) before using Cloud Services to store or share RI. 1

Cloud Services

A HIPAA Business Associate Agreement (BAA) must be in place before storing UCLA PHI in the cloud.
For Restricted Information for research subjects, employees, students, etc. that is not PHI, Data Security Agreements must to be in place.
To further protect confidential UCLA information, a UCLA Purchasing Agreement may also be needed.
Providers of free Cloud services generally have declined to sign the above Agreements so always check first with the Office of Compliance Services (InfoSecAll@mednet.ucla.edu) before using Cloud Services to store or share RI.