HIPAA Regulations Must be Adhered to by Cloud Service Providers

by Ryan Coyne | Aug 22, 2014

The recently passed HIPAA Omnibus Rule, normally labelled as the Megarule due to its extensive amendments to existing legislation , updates the Health Insurance Portability and Accountability Act (1996) expanding its reach to include business associates of healthcare companies and their subcontractors.

The growing data storage pressures placed on healthcare organizations require regular hardware updates and increasing amounts of space dedicated to servers and IT staff must be used to manage hardware, update software and maintain networks. Many healthcare groups lack the space or resources to safely store data and outsource their data storage to cloud service providers.

In order function in the healthcare sector, IT and data storage companies must now adhere to HIPAA regulations and sign a business agreement with the healthcare provide for whom they are providing the service. With cloud hosting companies it is clear that HIPAA regulations are applicable as the companies are required to store Protected Health Information, even if the data is not actually viewed.

HIPAA, defines ‘business associate’ as “Document storage companies maintaining protected health information on behalf of covered entities are considered business associates; regardless of whether they actually view the information they hold.” Even IT companies must carry out work on servers containing PHI are now covered under HIPAA as business associates and no work must be carried out without a business agreement being in place.

The new regulations are being policed by the Department of Health and Human Services’ Office for Civil Rights. BAs will now be assessed for HIPAA compliance and can be held directly accountable for data breaches and non-compliance problems. The OCR will be completing a series of audits and business associates will be included and can be fined directly for non-compliance issues and data violations due to HIPAA violations. Fines have been increased to a maximum of $50,000 per violation and an overall total of $1.5 million per year.

If a company works with a healthcare organization or is required to view or come into contact with PHI there may already have an agreement in place. It is important that this is refreshed and updated to include the new facets required by the Omnibus Final Rule. If subcontractors are useed they are the responsibility of the BA contracted to provide the service and these companies or people must also sign business agreements and agree to adhere with HIPAA Privacy and Security Rules.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

COMPREHENSIVE HIPAA TRAINING

Used in 1000+ Healthcare Organizations and 100+ Universities

Ryan Coyne

Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan's professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn and follow on Twitter