By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
Health Works CollectiveHealth Works CollectiveHealth Works Collective
  • Health
    • Mental Health
    Health
    Healthcare organizations are operating on slimmer profit margins than ever. One report in August showed that they are even lower than the beginning of the…
    Show More
    Top News
    HIPPA compliance
    How Medical Office Staff Can Make Your Practice HIPAA Compliant
    October 29, 2021
    Everything you need to know about hyaluronic acid treatment
    Everything you need to know about hyaluronic acid treatment
    February 10, 2022
    Which Mushroom Capsules Are Good for Your Health?
    May 5, 2022
    Latest News
    6 Easy Healthcare Ways to Sit Less and Move More Every Day
    September 10, 2025
    7 Most Common Healthcare Accreditation Programs: Which Should You Use?
    August 20, 2025
    Hospital Pest Control and the Fight Against Superbugs
    August 20, 2025
    Hygiene Beyond The Clinic: Attention To Overlooked Non-Clinical Spaces
    August 13, 2025
  • Policy and Law
    • Global Healthcare
    • Medical Ethics
    Policy and Law
    Get the latest updates about Insurance policies and Laws in the Healthcare industry for different geographical locations.
    Show More
    Top News
    Clinical Trials
    Can You Participate in a Clinical Trial?
    April 28, 2022
    5 Things to Take Care of When You Go Into Hospital
    July 24, 2020
    Pharmacists help you
    How A Pharmacist Can Help You
    November 28, 2022
    Latest News
    Healthcare at a Crossroads: Why Leadership Matters More Than Ever
    September 9, 2025
    How Social Security Disability Shapes Access to Care and Everyday Health
    August 22, 2025
    How a DUI Lawyer Can Help When Your Future Health Feels Uncertain
    August 22, 2025
    How One Fall Can Lead to a Long Road of Medical Complications
    August 22, 2025
  • Medical Innovations
  • News
  • Wellness
  • Tech
Search
© 2023 HealthWorks Collective. All Rights Reserved.
Reading: Healthcare Organizations: Seeking a Cloud Provider? BAAs Required
Share
Notification Show More
Font ResizerAa
Health Works CollectiveHealth Works Collective
Font ResizerAa
Search
Follow US
  • About
  • Contact
  • Privacy
© 2023 HealthWorks Collective. All Rights Reserved.
Health Works Collective > eHealth > Healthcare Organizations: Seeking a Cloud Provider? BAAs Required
eHealth

Healthcare Organizations: Seeking a Cloud Provider? BAAs Required

onlinetech
onlinetech
Share
5 Min Read
SHARE

If you use a cloud service, it should be your business associate. If they refuse to sign a business associate agreement, don’t use the cloud service.

– David S. Holtzman of the Health Information Privacy Division of OCR during a speech at the Health Care Compliance Association’s 16th Annual Compliance Institute.

If you use a cloud service, it should be your business associate. If they refuse to sign a business associate agreement, don’t use the cloud service.

– David S. Holtzman of the Health Information Privacy Division of OCR during a speech at the Health Care Compliance Association’s 16th Annual Compliance Institute.

The OCR, Office of Civil Rights, is the federal enforcer of HIPAA/HITECH. This definitive statement straight from the governing body puts to rest the question about whether or not cloud providers should be considered business associates for covered entities in the healthcare industry, as well as the question of whether a business associate agreement is required or not.

Holtzman’s speech included a specific example of a recent HIPAA violation involving the Phoenix Cardiac Surgery physician practice. Protected health information (PHI) was found posted on an Internet-based calendar, openly available to the public. The practice was using a public cloud-based application that did not have any privacy or security controls.

The lessons learned, according to Holtzman, include the physician’s lack of security and privacy controls, as well as the failure to consider cloud providers to be business associates and sign a business associate agreement (BAA).

Why is it imperative to sign a BAA with a HIPAA cloud provider, as a healthcare organization concerned about PHI security and HIPAA compliance?

Ownership
Who has access to data and rights to your data should be clarified in the BAA with your cloud provider – some cloud providers may include provisions in your contract that give them ownership and control of your data while hosted in their environment. Loss of ownership and control may mean your PHI can be left vulnerable to a breach.

Location
HIPAA security standards apply to covered entities within the United States; if your data is being hosted overseas, the same privacy and security laws may not apply. Know where your data lives and assess the physical, logical and network security of the data center or hosting facility. Read more about Data Center Security and Secure Hosting.

Breach Notification
A clause in your BAA should address breach notification in the event of a data leak – if your cloud provider is aware of a breach, they should have a plan in place that outlines a timeline of notifying the covered entity and their next steps. The OCR requires multiple documents within ten days of a breach – check that your cloud provider is aware of and has the information or ability to help you collect and/or create those documents.

Security and Privacy Controls
Does your cloud provider have documented policies and procedures in place that include employee training on how to securely handle PHI? The obligations and responsibilities of the cloud provider should be outlined in your BAA clearly.

Protocol After Termination
After contract termination with a cloud provider, the terms of data destruction and/or how to return the data to the covered entity should be addressed. Keeping copies of sensitive information within your organization is key to maintaining the data confidentiality and access limitation.

The OCR’s HIPAA audit pilot program launched late last year was intended to identify areas of improvement for covered entities when it comes to data security. With this field research, the OCR can provide more useful guidelines for other healthcare organizations, including the necessity of signing of a BAA with cloud vendors.

Recommended Reading
What’s in a Business Associate Agreement?
Online Tech’s BAA Breach Notification Clause
Five Questions to Ask Your HIPAA Hosting Provider
Who Needs to Be HIPAA Compliant?

References:
HIPAA Audits Wrapping Up at Year’s End as Federal Funding Winds Down – Health Law Resource Center, Bloomberg BNA


 


TAGGED:HIT
Share This Article
Facebook Copy Link Print
Share

Stay Connected

1.5kFollowersLike
4.5kFollowersFollow
2.8kFollowersPin
136kSubscribersSubscribe

Latest News

a woman walking on the hallway
6 Easy Healthcare Ways to Sit Less and Move More Every Day
Health
September 9, 2025
Clinical Expertise
Healthcare at a Crossroads: Why Leadership Matters More Than Ever
Global Healthcare
September 9, 2025
travel nurse in north carolina
Balancing Speed and Scope: Choosing the Nursing Degree That Fits Your Goals
Nursing
September 1, 2025
intimacy
How to Keep Intimacy Comfortable as You Age
Relationship and Lifestyle Senior Care
September 1, 2025

You Might also Like

Australian Providers Now Have Access to TotalExam

June 23, 2012
mhealth
Home HealthMedical DevicesMedical InnovationsMobile HealthNewsTechnology

Mobile Health Around the Globe: Raiing Thermometer From China Continuously Monitors Temperature

January 21, 2013

Opportunity Knocks for Healthcare Delivery: Who Will Answer the Door?

August 21, 2013
Image
Mobile Health

mHealthSummit 2012 – Coming Up Next Week!

November 26, 2012
Subscribe
Subscribe to our newsletter to get our newest articles instantly!
Follow US
© 2008-2025 HealthWorks Collective. All Rights Reserved.
  • About
  • Contact
  • Privacy
Welcome Back!

Sign in to your account

Username or Email Address
Password

Lost your password?