By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
Health Works CollectiveHealth Works CollectiveHealth Works Collective
  • Health
    • Mental Health
    Health
    Healthcare organizations are operating on slimmer profit margins than ever. One report in August showed that they are even lower than the beginning of the…
    Show More
    Top News
    bowl of vegetable salad
    Raw Foods: benefits and harms
    November 9, 2021
    pros and cons of the keto diet
    Read This Before You Follow the Keto Diet
    May 18, 2022
    spinal cord injuries
    4 Potential Causes of Spinal Cord Injuries (and How to Seek Compensation)
    May 25, 2022
    Latest News
    5 Steps to a Promising Career as a Healthcare Administrator
    July 31, 2025
    Why Custom Telemedicine Apps Outperform Off‑the‑Shelf Solutions
    July 20, 2025
    How Probate Planning Shapes the Future of Your Estate and Family Care
    July 17, 2025
    Beyond Nutrition: Everyday Foods That Support Whole-Body Health
    June 15, 2025
  • Policy and Law
    • Global Healthcare
    • Medical Ethics
    Policy and Law
    Get the latest updates about Insurance policies and Laws in the Healthcare industry for different geographical locations.
    Show More
    Top News
    Effective Healthcare Requires a Social Approach
    June 15, 2015
    CCBHCs
    2016 Excellence in Behavioral Health Program Design
    February 23, 2016
    conducting Clinical Trial
    5 Tips for Conducting a Clinical Trial
    April 21, 2024
    Latest News
    How IT and Marketing Teams Can Collaborate to Protect Patient Trust
    July 17, 2025
    How Health Choices and Legal Actions Intersect After an Injury
    July 17, 2025
    How communities and healthcare providers can address slip and fall injuries with legal awareness
    July 17, 2025
    Let Your Lawyer Handle the Work Before You Pay Medical Costs
    July 6, 2025
  • Medical Innovations
  • News
  • Wellness
  • Tech
Search
© 2023 HealthWorks Collective. All Rights Reserved.
Reading: Healthcare Organizations: Seeking a Cloud Provider? BAAs Required
Share
Notification Show More
Font ResizerAa
Health Works CollectiveHealth Works Collective
Font ResizerAa
Search
Follow US
  • About
  • Contact
  • Privacy
© 2023 HealthWorks Collective. All Rights Reserved.
Health Works Collective > eHealth > Healthcare Organizations: Seeking a Cloud Provider? BAAs Required
eHealth

Healthcare Organizations: Seeking a Cloud Provider? BAAs Required

onlinetech
onlinetech
Share
5 Min Read
SHARE

If you use a cloud service, it should be your business associate. If they refuse to sign a business associate agreement, don’t use the cloud service.

– David S. Holtzman of the Health Information Privacy Division of OCR during a speech at the Health Care Compliance Association’s 16th Annual Compliance Institute.

If you use a cloud service, it should be your business associate. If they refuse to sign a business associate agreement, don’t use the cloud service.

– David S. Holtzman of the Health Information Privacy Division of OCR during a speech at the Health Care Compliance Association’s 16th Annual Compliance Institute.

The OCR, Office of Civil Rights, is the federal enforcer of HIPAA/HITECH. This definitive statement straight from the governing body puts to rest the question about whether or not cloud providers should be considered business associates for covered entities in the healthcare industry, as well as the question of whether a business associate agreement is required or not.

Holtzman’s speech included a specific example of a recent HIPAA violation involving the Phoenix Cardiac Surgery physician practice. Protected health information (PHI) was found posted on an Internet-based calendar, openly available to the public. The practice was using a public cloud-based application that did not have any privacy or security controls.

The lessons learned, according to Holtzman, include the physician’s lack of security and privacy controls, as well as the failure to consider cloud providers to be business associates and sign a business associate agreement (BAA).

Why is it imperative to sign a BAA with a HIPAA cloud provider, as a healthcare organization concerned about PHI security and HIPAA compliance?

Ownership
Who has access to data and rights to your data should be clarified in the BAA with your cloud provider – some cloud providers may include provisions in your contract that give them ownership and control of your data while hosted in their environment. Loss of ownership and control may mean your PHI can be left vulnerable to a breach.

Location
HIPAA security standards apply to covered entities within the United States; if your data is being hosted overseas, the same privacy and security laws may not apply. Know where your data lives and assess the physical, logical and network security of the data center or hosting facility. Read more about Data Center Security and Secure Hosting.

Breach Notification
A clause in your BAA should address breach notification in the event of a data leak – if your cloud provider is aware of a breach, they should have a plan in place that outlines a timeline of notifying the covered entity and their next steps. The OCR requires multiple documents within ten days of a breach – check that your cloud provider is aware of and has the information or ability to help you collect and/or create those documents.

Security and Privacy Controls
Does your cloud provider have documented policies and procedures in place that include employee training on how to securely handle PHI? The obligations and responsibilities of the cloud provider should be outlined in your BAA clearly.

Protocol After Termination
After contract termination with a cloud provider, the terms of data destruction and/or how to return the data to the covered entity should be addressed. Keeping copies of sensitive information within your organization is key to maintaining the data confidentiality and access limitation.

The OCR’s HIPAA audit pilot program launched late last year was intended to identify areas of improvement for covered entities when it comes to data security. With this field research, the OCR can provide more useful guidelines for other healthcare organizations, including the necessity of signing of a BAA with cloud vendors.

Recommended Reading
What’s in a Business Associate Agreement?
Online Tech’s BAA Breach Notification Clause
Five Questions to Ask Your HIPAA Hosting Provider
Who Needs to Be HIPAA Compliant?

References:
HIPAA Audits Wrapping Up at Year’s End as Federal Funding Winds Down – Health Law Resource Center, Bloomberg BNA


 


TAGGED:HIT
Share This Article
Facebook Copy Link Print
Share

Stay Connected

1.5kFollowersLike
4.5kFollowersFollow
2.8kFollowersPin
136kSubscribersSubscribe

Latest News

5 Steps to a Promising Career as a Healthcare Administrator
5 Steps to a Promising Career as a Healthcare Administrator
Health
July 31, 2025
holistic dental
Holistic Dentist Services Are Natural and Safe
Dental health Specialties
July 28, 2025
botox certification
Help Improve People’s Skin Health Via Botox Certification
Skin Specialties
July 22, 2025
Telemedicine Apps
Why Custom Telemedicine Apps Outperform Off‑the‑Shelf Solutions
Health
July 20, 2025

You Might also Like

immunotherapy specialist
DiagnosticseHealthMedical InnovationsSpecialtiesWellness

Doctor Seeking Doctor: We Know Too Much

March 30, 2013
Image
Social Media

Social Media Transforming Care for Rare Disease Patients

February 26, 2013

Free Health Care Website: Consider the Business Model

February 1, 2014
biopharma beat Apple HealthKit
DiagnosticseHealthHospital AdministrationNewsTechnologyWellness

BioPharma Beat: Apple and the Dawn of the Worried Well (the Sequel)

June 3, 2014
Subscribe
Subscribe to our newsletter to get our newest articles instantly!
Follow US
© 2008-2025 HealthWorks Collective. All Rights Reserved.
  • About
  • Contact
  • Privacy
Welcome Back!

Sign in to your account

Username or Email Address
Password

Lost your password?