On May 20, 2021, the Belgian Supervisory Authority (Belgian SA) approved the EU Cloud Code of Conduct (EU Cloud CoC).[1] This is the first time that a Supervisory Authority has approved a transnational, industry-wide code of conduct under the General Data Protection Regulation (GDPR).[2] Cloud service providers (CSPs) will be able to rely on their adherence to the code to demonstrate compliance with the GDPR as a data processor. Although the EU Cloud CoC does not yet qualify as an appropriate safeguard for international data transfers, a separate module is currently under discussion and should, when adopted, accommodate such transfers.
Continue Reading Belgian DPA Approves Code of Conduct for the Cloud Industry

A recently issued government rule may unknowingly create significant liability and legal risk for many technology enterprises. The expanded definition of “business associates” and related interpretations by the Department of Health and Human Services (HHS) suggest that many companies should revisit how they provide services and ask whether they are providing their services to health care providers, health plans, or health care clearing houses (collectively, “covered entities”). HHS seeks to implement the mandates of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) by modifying its regulatory scheme (the “HIPAA Rules”) that implements the Health Insurance Portability and Accountability Act of 1996 (HIPAA).1 Two of the most important changes involve “business associates,” defined as entities that perform functions or activities on behalf of covered entities or other business associates that involve the use or disclosure of protected health information (PHI). Among many other changes, the omnibus rule:

  1. expanded the definition of “business associate” and
  2. placed the obligation of HIPAA compliance directly on business associates.

Continue Reading Cloud Storage Providers Storing Protected Health Information May Be Obligated to Comply with HIPAA Regulations