The short answer? Yes.
Under the new omnibus rule for HIPAA / HITECH, healthcare providers are legally obligated to enter into a Business Associate Agreement (BAA) with cloud providers that details exactly how the cloud service provider will ensure appropriate protection of protected health information (PHI) from an administrative, technical and security perspective. Confusion enters the picture, however, because the new omnibus rule does not specifically address how to implement cloud computing services to manage protected health information (PHI).
So how did this come about? Historically, the Department of Health and Human Services (HHS) had authority over covered entities (CEs) only, which were mainly healthcare providers. Fast forward nearly two decades from HIPAA’s inception, and the playing field has changed drastically – at least from a legal and financial culpability standpoint. The HHS now identifies cloud service providers as BAs, and has expanded its governance to include not only cloud service providers as BAs, but also any related subcontractors. Today, the potential penalties for a data breach or HIPAA violation are severe for all parties engaged in a BAA:
- Civil Penalties: The American Recovery and Reinvestment Act of 2009 was signed into law and established a tiered penalty structure that ranges from $100 per violation to a maximum of $1.5 million, depending on the type of HIPAA violation and the level of neglect.
- Criminal Penalties: In June 2005 the U.S. Department of Justice clarified that CEs and specified individuals that “knowingly” obtain or disclose PHI may face jail time and fines.
Distressingly, however, not every cloud service provider in the market knows of the obligation to enter into a BAA with its CE clients. If yours is soft-pedaling the requirement, you can be relatively assured that there are other aspects of compliance regulations that they also won’t understand.
It is important to note that the HHS conducts random audits of existing or non-existing BAAs between CEs and BAs to ensure compliance with the HIPAA privacy, security and breach notification rules. In researching this topic you will still find questions that remain to be answered about what should or should not be addressed in a BAA, but the lack of a BAA is considered to be in violation of the new omnibus ruling for HIPAA / HITECH and implies negligence. As a result, this type of implied negligence could easily fall under the HIPAA violation category of “willful neglect.” So why put your organization at risk?
Now that we agree that a BAA is necessary under the new omnibus rule for HIPAA / HITECH, it’s time to determine if your cloud hosting provider can meet your BAA needs. Download our BAA Checklist to get a quick list of questions to ask. And if you have any questions at all about compliance in the cloud, including BAAs, contact us today.