11 Mar Role of the HIPAA Business Associate for HIPAA Cloud Requirements
Does going cloud really mean sacrificing security and privacy for financial and strategic benefits? It shouldn’t.
While cloud computing has a proven ability to enable businesses to expand at lower costs, HIPAA covered entities are often reluctant to move to the cloud because they are concerned about security, privacy and risk. Learn about HIPAA compliant cloud hosting for Dynamics ERP»
A HIPAA Business Associate Agreement is a Must
While many cloud offerings claim to be HIPAA compliant, compliance is about more than just security and data centers. Cloud service providers who are truly able to support healthcare organizations and other covered entities will offer a HIPAA business associate agreement as a standard component in their cloud offering.
A HIPAA BAA is your guarantee that your cloud service provider and all hosting employees who handle Protected Health Information (PHI) understand the HIPAA safeguard requirements and responsibilities.
“Once you are sure that the service offers all the necessary safeguards to protect PHI and personal identifiers of patients and plan members, a Business Associate Agreement must be signed by both parties stating the obligations of each, before access to data is provided,” said the article at HIPAAJournal.com.
What is a HIPAA Business Associate for Cloud?
The HIPAA Security Rule defines business associates as individuals or entities who create, receive, maintain or store protected health information on behalf of a HIPAA covered entity. That means cloud service providers are considered business associates by law, which is why it is critical to have a HIPAA BAA that ensures your provider and their staff are qualified and compelled to protect you from violations.
In order to ensure you maintain compliance, a cloud provider and any of their employees who handle protected data must operate with three types of required safeguards in place.
These safeguards include:
- Administrative Safeguards: Security management process, security awareness training
- Physical Safeguards: Facility access controls, device and media controls including storage of backups
- Technical Safeguards: Access control and transmission security
These safeguards must be implemented, documented and maintained as part of any HIPAA cloud service offering in order for your business to go cloud and still comply with the HIPAA and HITECH, including the Omnibus Rules of 2013. These safeguards should be clearly addressed in any HIPAA BAA before turning on a subscription so there are no violations or confusion about responsibility down the road.
Beyond HIPAA BAA Requirements
In addition to the HIPAA BAA, the provider should also guarantee that its team is trained and educated on HIPAA and that the organization undergoes semi-annual risk audits while maintaining internal policies and procedures tailored to HIPAA rules. It is also critical that the provider does not allow any subcontractors to access ePHI data.
A cloud service provider who is truly dedicated to serving HIPAA covered entities will enable your healthcare organization to leverage the power of the cloud by delivering a rock solid HIPAA BAA. Covered entities looking to expand their business should not be deterred by the cost of expansion or the added requirements of provisioning and managing an IT infrastructure that is capable of supporting growth ambitions.
Startups and established practices in healthcare industries should feel confident about embracing the cloud, not just as a way to save money but as a tool that will drive growth while improving compliance processes. Just proceed with caution when choosing a service provider and make a business associate agreement a critical requirement.