*As of September 23, 2014 all hosting agreements must include a BAA. See the complete list of deadlines.
We are starting to come across this more and more. Many organizations in the healthcare sector are looking for new hosting providers because they deal with Personal Health Information (PHI) and their current provider won’t sign a Business Associate Agreement (BAA). Let’s take a look at why this is happening.
Well, as you may have heard, new HIPAA BAA regulations went into effect in January 2013, which applies to BAAs for vendors and sub-contracts (more on this in another post). Some may argue that if PHI is encrypted by the customer and only stored by the vendor that HIPAA regulations don’t apply to the vendor/hosting provider. The truth is there is no guarantee that the customer has properly encrypted all of the PHI data before uploading it to a hosting provider. Until the new Omnibus ruling went into effect compliance audits were mainly complaint driven. There is now an effort by the government to be more proactive and selectively audit organizations which will also involve vendors that service or store PHI. Some requirements that have been ambiguous now have definitions and consequences for noncompliance, including fines may go from $50,000 to as high as $1.5 Million.
From a practical perspective, your Master Services Agreement (MSA) may state that you will only be hosting encrypted data. But what if, in an unlikely case, some of your unencrypted data is transferred over to the hosted servers? The hosting provider that claims you don’t need a BAA has placed your compliance in jeopardy. Any vendor reluctant to sign a BAA is essentially non-compliant.
This could put your organization at liability you may not be prepared for. Any vendor that is reluctant to sign a BAA is going to put your organization at risk as well.
At Connectria, we tend to lean more on the conservative side to ensure our customers are protected. Our HIPAA Compliant Hosting plan is BAA friendly and we enter into these agreements with healthcare customers on a daily basis. We stand by our compliance and aim to help ensure our customers are compliant as well.
Have you come across a similar situation? Have you been effected by this new regulation?
– Chris Davidson