fbpx
Blog March 20, 2013

Why Won't Your Hosting Provider Sign a HIPAA BAA?

OCRs Position on HIPAA Cloud Services

*As of September 23, 2014 all hosting agreements must include a BAA. See the complete list of deadlines.

We are starting to come across this more and more. Many organizations in the healthcare sector are looking for new hosting providers because they deal with Personal Health Information (PHI) and their current provider won’t sign a Business Associate Agreement (BAA).  Let’s take a look at why this is happening.

Well, as you may have heard, new HIPAA BAA regulations went into effect in January 2013, which applies to BAAs for vendors and sub-contracts (more on this in another post). Some may argue that if PHI is encrypted by the customer and only stored by the vendor that HIPAA regulations don’t apply to the vendor/hosting provider. The truth is there is no guarantee that the customer has properly encrypted all of the PHI data before uploading it to a hosting provider. Until the new Omnibus ruling went into effect compliance audits were mainly complaint driven. There is now an effort by the government to be more proactive and selectively audit organizations which will also involve vendors that service or store PHI. Some requirements that have been ambiguous now have definitions and consequences for noncompliance, including fines may go from $50,000 to as high as $1.5 Million.

From a practical perspective, your Master Services Agreement (MSA) may state that you will only be hosting encrypted data. But what if, in an unlikely case, some of your unencrypted data is transferred over to the hosted servers? The hosting provider that claims you don’t need a BAA has placed your compliance in jeopardy. Any vendor reluctant to sign a BAA is essentially non-compliant.

This could put your organization at liability you may not be prepared for. Any vendor that is reluctant to sign a BAA is going to put your organization at risk as well.
At Connectria, we tend to lean more on the conservative side to ensure our customers are protected.  Our HIPAA Compliant Hosting plan is BAA friendly and we enter into these agreements with healthcare customers on a daily basis. We stand by our compliance and aim to help ensure our customers are compliant as well.

Have you come across a similar situation? Have you been effected by this new regulation?

– Chris Davidson

Related Resources

 
What is HITRUST Certification, and why does it matter?
Earlier this month, we announced that Connectria has, once again, passed all of its third-party certifications. For a complete list and a high-level look at…
 
Whitepaper December 5, 2019
GDPR’s Impact on US-Based Companies
 
How to Check Your IBM i OS Version (and Why a Third Party Should Do Your Upgrade)
Many companies run their critical applications on an IBM i framework, all or some of which is still being hosted in their own data centers.…