By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
Health Works CollectiveHealth Works CollectiveHealth Works Collective
  • Health
    • Mental Health
    Health
    Healthcare organizations are operating on slimmer profit margins than ever. One report in August showed that they are even lower than the beginning of the…
    Show More
    Top News
    improving patient experience
    6 Ways to Improve Patient Satisfaction Within Hospitals
    December 1, 2021
    degree for healthcare job
    What Are The Health Benefits Of Having A Degree?
    March 9, 2022
    custom software development is changing healthcare
    Digital Customer Journey Mapping and its Importance for Healthcare
    July 21, 2022
    Latest News
    Grounded Healing: A Natural Ally for Sustainable Healthcare Systems
    May 16, 2025
    Learn how to Renew your Medical Card in West Virginia
    May 16, 2025
    Choosing the Right Supplement Manufacturer for Your Brand
    May 1, 2025
    Engineering Temporary Hospitals for Extreme Weather
    April 24, 2025
  • Policy and Law
    • Global Healthcare
    • Medical Ethics
    Policy and Law
    Get the latest updates about Insurance policies and Laws in the Healthcare industry for different geographical locations.
    Show More
    Top News
    Can Thinking Younger Make You Live Longer?
    April 20, 2011
    Image
    Obesity’s Outlook Unchanged
    June 13, 2011
    When It’s An Emergency Elderly Not Treated As Well in Hospitals
    July 16, 2011
    Latest News
    Building Smarter Care Teams: Aligning Roles, Structure, and Clinical Expertise
    May 18, 2025
    The Critical Role of Healthcare in Personal Injury Recovery: A Comprehensive Guide for Victims
    May 14, 2025
    The Backbone of Successful Trials: Clinical Data Management
    April 28, 2025
    Advancing Your Healthcare Career through Education and Specialization
    April 16, 2025
  • Medical Innovations
  • News
  • Wellness
  • Tech
Search
© 2023 HealthWorks Collective. All Rights Reserved.
Reading: Healthcare Organizations: Seeking a Cloud Provider? BAAs Required
Share
Notification Show More
Font ResizerAa
Health Works CollectiveHealth Works Collective
Font ResizerAa
Search
Follow US
  • About
  • Contact
  • Privacy
© 2023 HealthWorks Collective. All Rights Reserved.
Health Works Collective > eHealth > Healthcare Organizations: Seeking a Cloud Provider? BAAs Required
eHealth

Healthcare Organizations: Seeking a Cloud Provider? BAAs Required

onlinetech
Last updated: May 11, 2012 8:23 am
onlinetech
Share
5 Min Read
SHARE

If you use a cloud service, it should be your business associate. If they refuse to sign a business associate agreement, don’t use the cloud service.

– David S. Holtzman of the Health Information Privacy Division of OCR during a speech at the Health Care Compliance Association’s 16th Annual Compliance Institute.

If you use a cloud service, it should be your business associate. If they refuse to sign a business associate agreement, don’t use the cloud service.

– David S. Holtzman of the Health Information Privacy Division of OCR during a speech at the Health Care Compliance Association’s 16th Annual Compliance Institute.

The OCR, Office of Civil Rights, is the federal enforcer of HIPAA/HITECH. This definitive statement straight from the governing body puts to rest the question about whether or not cloud providers should be considered business associates for covered entities in the healthcare industry, as well as the question of whether a business associate agreement is required or not.

Holtzman’s speech included a specific example of a recent HIPAA violation involving the Phoenix Cardiac Surgery physician practice. Protected health information (PHI) was found posted on an Internet-based calendar, openly available to the public. The practice was using a public cloud-based application that did not have any privacy or security controls.

The lessons learned, according to Holtzman, include the physician’s lack of security and privacy controls, as well as the failure to consider cloud providers to be business associates and sign a business associate agreement (BAA).

Why is it imperative to sign a BAA with a HIPAA cloud provider, as a healthcare organization concerned about PHI security and HIPAA compliance?

Ownership
Who has access to data and rights to your data should be clarified in the BAA with your cloud provider – some cloud providers may include provisions in your contract that give them ownership and control of your data while hosted in their environment. Loss of ownership and control may mean your PHI can be left vulnerable to a breach.

Location
HIPAA security standards apply to covered entities within the United States; if your data is being hosted overseas, the same privacy and security laws may not apply. Know where your data lives and assess the physical, logical and network security of the data center or hosting facility. Read more about Data Center Security and Secure Hosting.

Breach Notification
A clause in your BAA should address breach notification in the event of a data leak – if your cloud provider is aware of a breach, they should have a plan in place that outlines a timeline of notifying the covered entity and their next steps. The OCR requires multiple documents within ten days of a breach – check that your cloud provider is aware of and has the information or ability to help you collect and/or create those documents.

Security and Privacy Controls
Does your cloud provider have documented policies and procedures in place that include employee training on how to securely handle PHI? The obligations and responsibilities of the cloud provider should be outlined in your BAA clearly.

Protocol After Termination
After contract termination with a cloud provider, the terms of data destruction and/or how to return the data to the covered entity should be addressed. Keeping copies of sensitive information within your organization is key to maintaining the data confidentiality and access limitation.

The OCR’s HIPAA audit pilot program launched late last year was intended to identify areas of improvement for covered entities when it comes to data security. With this field research, the OCR can provide more useful guidelines for other healthcare organizations, including the necessity of signing of a BAA with cloud vendors.

Recommended Reading
What’s in a Business Associate Agreement?
Online Tech’s BAA Breach Notification Clause
Five Questions to Ask Your HIPAA Hosting Provider
Who Needs to Be HIPAA Compliant?

References:
HIPAA Audits Wrapping Up at Year’s End as Federal Funding Winds Down – Health Law Resource Center, Bloomberg BNA


 


TAGGED:HIT
Share This Article
Facebook Copy Link Print
Share

Stay Connected

1.5kFollowersLike
4.5kFollowersFollow
2.8kFollowersPin
136kSubscribersSubscribe

Latest News

Clinical Expertise
Building Smarter Care Teams: Aligning Roles, Structure, and Clinical Expertise
Health care
May 18, 2025
Grounded Healing: A Natural Ally for Sustainable Healthcare Systems
Grounded Healing: A Natural Ally for Sustainable Healthcare Systems
Health
May 15, 2025
Learn how to Renew your Medical Card in West Virginia
Learn how to Renew your Medical Card in West Virginia
Health
May 15, 2025
Dr. Klaus Rentrop Shares Acute Myocardial Infarction heart treatment
Dr. Klaus Rentrop Shares Acute Myocardial Infarction
Cardiology
May 13, 2025

You Might also Like

Image
BusinesseHealthSocial Media

Beyond the Buzz: What the New Twitter Profile Means for Healthcare Marketing

April 25, 2014
Medical Search Marketing
BusinesseHealth

Why Medical Professionals Should Embrace Internet Marketing

May 30, 2014

How to Build a Better Hospital Blog

August 9, 2014

Hospitals: Take Down Those Walls!

October 12, 2012
Subscribe
Subscribe to our newsletter to get our newest articles instantly!
Follow US
© 2008-2025 HealthWorks Collective. All Rights Reserved.
  • About
  • Contact
  • Privacy
Welcome Back!

Sign in to your account

Username or Email Address
Password

Lost your password?