HIPAA Regulations Must be Adhered to by Cloud Service Providers

The recently passed HIPAA Omnibus Rule, normally labelled as the Megarule due to its extensive amendments to existing legislation , updates the Health Insurance Portability and Accountability Act (1996) expanding its reach to include business associates of healthcare companies and their subcontractors.

The growing data storage pressures placed on healthcare organizations require regular hardware updates and increasing amounts of space dedicated to servers and IT staff must be used to manage hardware, update software and maintain networks. Many healthcare groups lack the space or resources to safely store data and outsource their data storage to cloud service providers.

In order function in the healthcare sector, IT and data storage companies must now adhere to HIPAA regulations and sign a business agreement with the healthcare provide for whom they are providing the service. With cloud hosting companies it is clear that HIPAA regulations are applicable as the companies are required to store Protected Health Information, even if the data is not actually viewed.

HIPAA, defines ‘business associate’ as “Document storage companies maintaining protected health information on behalf of covered entities are considered business associates; regardless of whether they actually view the information they hold.” Even IT companies must carry out work on servers containing PHI are now covered under HIPAA as business associates and no work must be carried out without a business agreement being in place.

The new regulations are being policed by the Department of Health and Human Services’ Office for Civil Rights. BAs will now be assessed for HIPAA compliance and can be held directly accountable for data breaches and non-compliance problems. The OCR will be completing a series of audits and business associates will be included and can be fined directly for non-compliance issues and data violations due to HIPAA violations. Fines have been increased to a maximum of $50,000 per violation and an overall total of $1.5 million per year.

If a company works with a healthcare organization or is required to view or come into contact with PHI there may already have an agreement in place. It is important that this is refreshed and updated to include the new facets required by the Omnibus Final Rule. If subcontractors are useed they are the responsibility of the BA contracted to provide the service and these companies or people must also sign business agreements and agree to adhere with HIPAA Privacy and Security Rules.