As a service provider that works with healthcare clients, you’re probably well aware of many of the HIPAA requirements outlined in the Omnibus Rule, which define your company as a business associate. Hopefully by this point, you’re well versed in developing and signing HIPAA Business Associate Agreements with your partners, which define both parties’ roles in protecting PHI (personal healthcare information).
Even if you are able to check off that box, there’s one other party involved in this process that might not yet be part of your agreement: your cloud service provider.
If you don’t have a HIPAA Business Associate Agreement with your cloud provider, it could be for one of two reasons: Either they’re not knowledgeable about the Omnibus Rule (major red flag) or, if they are they believe they are an exception to the business associate requirement.
If your provider falls into the latter category, here’s a brief explanation why they may hold this belief. In the Department of Health and Human Services’ (HHS) definition of and requirements for Business Associates, it includes a section about “Exceptions to the Business Associate Standard.” One of the qualifying exceptions is “a person or organization that acts merely as a conduit for protected health information, for example, the US Postal Service, certain private couriers, and their electronic equivalents.” Based on this description, it’s easy to see where cloud providers could make the claim that they’re merely “conduits” for the end customers’ data and therefore meet the exception requirements. A recent article from the BakerHostetler law firm titled, “HIPAA, Business Associates and the Cloud” makes it clear, however, that cloud providers do not meet the exception requirements, and they therefore must sign HIPAA Business Associate Agreements describing how they will protect PHI before storing it in their data centers.
As a VAR or MSP, this is important to know because if there’s one thing you can count on with HIPAA rules and regulations, it’s the fact that ignorance about a rule doesn’t excuse you from facing the consequences for violating it.
Armed with this knowledge, it’s a good idea to discuss this matter with your cloud provider and insist, as a starting point, that they have these agreements in place. And, even if they do, be sure you review the agreement to see exactly what their role is in protecting your customers’ data. The agreement should spell out several “What if?” scenarios, ranging from data breaches to the provider going out of business. Be prepared to consider alternative options if it looks like the agreement places too much responsibility on your company and not enough on them. After all, you have enough responsibility as it is — you shouldn’t have the added risk of dealing with a vendor partner that wants to take a hands off approach to your customers’ PHI.