Blog March 20, 2013

Why Won't Your Hosting Provider Sign a HIPAA BAA?

OCRs Position on HIPAA Cloud Services

*As of September 23, 2014 all hosting agreements must include a BAA. See the complete list of deadlines.

We are starting to come across this more and more. Many organizations in the healthcare sector are looking for new hosting providers because they deal with Personal Health Information (PHI) and their current provider won’t sign a Business Associate Agreement (BAA).  Let’s take a look at why this is happening.

Well, as you may have heard, new HIPAA BAA regulations went into effect in January 2013, which applies to BAAs for vendors and sub-contracts (more on this in another post). Some may argue that if PHI is encrypted by the customer and only stored by the vendor that HIPAA regulations don’t apply to the vendor/hosting provider. The truth is there is no guarantee that the customer has properly encrypted all of the PHI data before uploading it to a hosting provider. Until the new Omnibus ruling went into effect compliance audits were mainly complaint driven. There is now an effort by the government to be more proactive and selectively audit organizations which will also involve vendors that service or store PHI. Some requirements that have been ambiguous now have definitions and consequences for noncompliance, including fines may go from $50,000 to as high as $1.5 Million.

From a practical perspective, your Master Services Agreement (MSA) may state that you will only be hosting encrypted data. But what if, in an unlikely case, some of your unencrypted data is transferred over to the hosted servers? The hosting provider that claims you don’t need a BAA has placed your compliance in jeopardy. Any vendor reluctant to sign a BAA is essentially non-compliant.

This could put your organization at liability you may not be prepared for. Any vendor that is reluctant to sign a BAA is going to put your organization at risk as well.
At Connectria, we tend to lean more on the conservative side to ensure our customers are protected.  Our HIPAA Compliant Hosting plan is BAA friendly and we enter into these agreements with healthcare customers on a daily basis. We stand by our compliance and aim to help ensure our customers are compliant as well.

Have you come across a similar situation? Have you been effected by this new regulation?

– Chris Davidson

Related Resources

 
7 Signs You May Need Help With Your Azure or AWS Deployment
According to Cloud Computing Trends: 2017 State of the Cloud Survey, companies house 41% of their workloads in a public cloud like Microsoft Azure or…
 
6 Ways to Build a Better Relationship with Your MSP
Thinking of leveraging a “managed service provider” in 2019? You’re not alone! IDC’s 2017 research found that 30% of executives outsource at least some of…
 
A Short FAQ on Disaster Recovery as a Service
Disaster Recovery as a Service (DRaaS) is becoming increasingly popular as a way to ensure business continuity in the event of a natural or manmade…