While cloud computing has a proven ability to enable businesses to expand at lower costs, HIPAA covered entities are often reluctant to move to the cloud because they are concerned about security, privacy and risk.
So, does going cloud really mean sacrificing security and privacy for financial and strategic benefits? It shouldn’t.
![image for baa hipaa baa hippa cloud requirements]()
Check out these essential safeguards for HIPAA compliant cloud hosting »
A Business Associate Agreement is a Must
While many cloud offerings claim to be HIPAA compliant, compliance is about more than just security and data centers. Cloud service providers who are truly able to support healthcare organizations and other covered entities will offer a business associate agreement as a standard component in their cloud offering.
A built-in business associate agreement (BAA) is one of the top five criteria that covered entities should consider when choosing a cloud provider, according to the HIPAA Journal’s website.
A HIPAA BAA is your guarantee that your cloud service provider and all hosting employees who handle Protected Health Information (PHI) understand the HIPAA safeguard requirements and responsibilities.
“Once you are sure that the service offers all the necessary safeguards to protect PHI and personal identifiers of patients and plan members, a Business Associate Agreement must be signed by both parties stating the obligations of each, before access to data is provided,” said the article at HIPAAJournal.com.
The Role of the Cloud Business Associate
The HIPAA Security Rule defines business associates as individuals or entities who create, receive, maintain or store protected health information on behalf of a HIPAA covered entity. That means cloud service providers are considered business associates by law, which is why it is critical to have a HIPAA BAA that ensures your provider and their staff are qualified and compelled to protect you from violations.
In order to ensure you maintain compliance, a cloud provider and any of their employees who handle protected data must operate with three types of required safeguards in place.
These safeguards include:
- Administrative Safeguards: Security management process, security awareness training
- Physical Safeguards: Facility access controls, device and media controls including storage of backups
- Technical Safeguards: Access control and transmission security
These safeguards must be implemented, documented and maintained as part of any HIPAA cloud service offering in order for your business to go cloud and still comply with the HIPAA and HITECH, including the Omnibus Rules of 2013. These safeguards should be clearly addressed in any HIPAA BAA before turning on a subscription so there are no violations or confusion about responsibility down the road.
Beyond HIPAA BAA Requirements
In addition to the HIPAA BAA, the provider should also guarantee that its team is trained and educated on HIPAA and that the organization undergoes semi-annual risk audits while maintaining internal policies and procedures tailored to HIPAA rules. It is also critical that the provider does not allow any subcontractors to access ePHI data.
Takeaway
A cloud service provider who is truly dedicated to serving HIPAA covered entities will enable your healthcare organization to leverage the power of the cloud by delivering a rock solid HIPAA BAA. Covered entities looking to expand their business should not be deterred by the cost of expansion or the added requirements of provisioning and managing an IT infrastructure that is capable of supporting growth ambitions.
Startups and established practices in healthcare industries should feel confident about embracing the cloud, not just as a way to save money but as a tool that will drive growth while improving compliance processes. Just proceed with caution when choosing a service provider and make a business associate agreement a critical requirement.
Curious about your HIPAA cloud software options? Browse some of the HIPAA Compliant Hosting solutions for Microsoft Business Software »
The post HIPPA Cloud Requirements: Role of the Business Associate appeared first on RoseASP, Inc..