- October 19, 2016
- Posted by: Lee Mangold
- Category: Blog
The cloud has undoubtedly brought about a new era of efficiency in computing. As healthcare providers increasingly move to the cloud, they need to be aware of their obligations under the HIPAA Security and Privacy rules, as these cloud service providers (CSP) are most often considered business associates.
If you remember from a previous post, business associates create, receive, maintain, or transmit PHI on behalf of a covered entity or another business associate. If you use a CSP service – be it a HER or even a drive service like dropbox – you are required to have a BAA in place with that provider. If the provider is unwilling to sign a BAA, the CE should find another provider to work with
We get asked a lot: “but will [service provider here] sign a BAA with me?” The answer for most of the larger providers, is “yes!” However, you will likely need to accept their boilerplate terms. These terms often specify a “shared responsibility model” between the CE and the CSP (BA).
What is a shared responsibility model? The CSP is agreeing to share the responsibility of protecting your ePHI. However, they are not taking full responsibility (and they likely shouldn’t). Each CSP should have a list of things they specifically cover and do not cover. For example: while they may offer encrypted storage by default, they can’t control who you give access to the encrypted data.
An interesting area we see this in is email service providers. Or, more specifically: spam prevention services. These services usually access and retain all your email. If you use email to transmit ePHI (which is a risk, but a manageable one), you need to assess the risk of that CSP holding ePHI and they must sign a BAA!
Choosing is CSP is like any other vendor selection process. If your vendor is not willing to sign a BAA (or they don’t know what that means), take that as a warning sign and find another provider!
GoldSky can help you in your vendor selection and assessment processes!