Want to help ensure that your Exchange Email email complies with the 2013 HIPAA Omnibus Final Rules? Here are 4 questions to ask any cloud provider.
- Will you sign a Business Associate Agreement?
- Are your policies and procedures in place?
- Has your provider had an independent audit?
- Will you help configure my service?
For many businesses, the decision to move to the cloud is about economics: the cloud provides greater value than an on-premises deployment.
But for businesses that work with Protected Health Information (PHI), there’s a consideration beyond economics: HIPAA requirements.
If you’re concerned about HIPAA compliance, we’ve compiled the four key questions that you need to ask about HIPAA compliance and hosted services—including Exchange Email email, file sync and share tools, collaboration services like SharePoint, and more. But first, some important background.
New HIPAA regulation expands “Business Associate” definition
HIPAA rules state that for a healthcare organization to be considered compliant, all their “Business Associates” also have to be HIPAA compliant. That’s not new.
What IS new is the 2013 HIPAA Omnibus Final Rule, which expands the definition and privacy protection obligations of “Business Associate” to include subcontractors as far up and down the chain as Protected Health Information (PHI) may be handled. This rule went into effect on March 26, 2013 with a final compliance deadline of September 23, 2013.
This means that datacenters, online backup providers, and cloud services providers can be considered Business Associates if PHI moves through their systems. And that means they need to be HIPAA compliant.
Here’s how this impacts you: you need to make sure that your cloud service providers are HIPAA compliant—because if they’re not compliant, you’re not compliant.
4 questions to ask any cloud provider
Since the financial penalty for HIPAA violations can be severe (up to $1.5M per year) it’s very important that your cloud services provider is compliant. Here are the four most important questions to ask.
1. Will you acknowledge that your company qualifies as a “Business Associate” under the new definition, and will you sign HIPAA Business Associates Agreements?
Business Associate Agreements are required between Covered Entities and Business Associates; between Business Associates and any Subcontractors they use, and between Subcontractors. This goes all the way down the line to any person or entity that contacts or maintains PHI.
Your provider must be willing to sign a Business Associate Agreement that acknowledges their role and responsibility under the 2013 HIPAA Omnibus Final Rule. Without that agreement you really have no assurance that they are compliant.
2. Have you implemented HIPAA-specific policies and procedures, conducted a HIPAA risk analysis, and completed workforce training?
Your provider should be able to provide a clear written statement of policies and procedures to acknowledge that they act as a Business Associate. They should have trained their staff and associates who might potentially handle Protected Health Information.
3. Has your organization submitted to an independent audit to validate your HIPAA compliance?
Having an independent party perform a gap assessment on HIPAA compliance is very important for the cloud provider and offers you valuable protection. It gives them an accurate appraisal of their compliance efforts, and it lends credibility with regulators.
4. Do your services need to be specially configured to be HIPAA compliant, and will you help me with that configuration?
Some services may require special configuration to be fully compliant. Your provider should be able to clearly explain what needs to be done, and they should offer assistance and advice on performing the configuration. Even better, they should configure the service for you.
Intermedia and HIPAA Compliance
Intermedia services are designed to meet the privacy and security requirements for Protected Health Information (PHI). Our policies, procedures, technologies and services are audited by a third-party to validate conformance with HIPAA privacy and security requirements, and Intermedia will execute a HIPAA Business Associate Agreement with Covered Entities.