HIPAA Regulations Must be Adhered to by Cloud Service Providers

by | Aug 22, 2014

The recently passed HIPAA Omnibus Rule, normally labelled as the Megarule due to its extensive amendments to existing legislation , updates the Health Insurance Portability and Accountability Act (1996) expanding its reach to include business associates of healthcare companies and their subcontractors.

The growing data storage pressures placed on healthcare organizations require regular hardware updates and increasing amounts of space dedicated to servers and IT staff must be used to manage hardware, update software and maintain networks. Many healthcare groups lack the space or resources to safely store data and outsource their data storage to cloud service providers.

In order function in the healthcare sector, IT and data storage companies must now adhere to HIPAA regulations and sign a business agreement with the healthcare provide for whom they are providing the service. With cloud hosting companies it is clear that HIPAA regulations are applicable as the companies are required to store Protected Health Information, even if the data is not actually viewed.

HIPAA, defines ‘business associate’ as “Document storage companies maintaining protected health information on behalf of covered entities are considered business associates; regardless of whether they actually view the information they hold.” Even IT companies must carry out work on servers containing PHI are now covered under HIPAA as business associates and no work must be carried out without a business agreement being in place.

The new regulations are being policed by the Department of Health and Human Services’ Office for Civil Rights. BAs will now be assessed for HIPAA compliance and can be held directly accountable for data breaches and non-compliance problems. The OCR will be completing a series of audits and business associates will be included and can be fined directly for non-compliance issues and data violations due to HIPAA violations. Fines have been increased to a maximum of $50,000 per violation and an overall total of $1.5 million per year.

If a company works with a healthcare organization or is required to view or come into contact with PHI there may already have an agreement in place. It is important that this is refreshed and updated to include the new facets required by the Omnibus Final Rule. If subcontractors are useed they are the responsibility of the BA contracted to provide the service and these companies or people must also sign business agreements and agree to adhere with HIPAA Privacy and Security Rules.


Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy