Medical offices either considering or currently using a cloud-based service for data storage, retrieval, and patient access have specific fortifications that need to be addressed with a Business Associates Agreement (BAA).
Business associates are now separately and directly accountable for compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as well as violations of patient privacy and any security breach notification rules. Penalties for HIPAA noncompliance begin at $10,000 and could reach upwards of $1.5 million per violation.
HIPAA requires business associates to implement safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of Protected Health Information (PHI), and to ensure that any subcontractor (e.g., cloud service, data service, outsourced billing service, etc.) engaged by the business associate in this process to implement similar safeguards.
- The business associate must review and modify security measures on an ongoing basis to ensure the continued provision of reasonable and appropriate protection of PHI.
- If a business associate retains a subcontractor to perform a function or service that involves use or disclosure of PHI, then the business associate is obligated to enter into a BAA with each subcontractor (a subcontractor, contracting to another).
- If a breach of PHI occurs at the subcontractor stage, the subcontractor must then notify the business associate, which then must notify the covered entity (medical office/service). The covered entity must then notify the affected individuals (patients, insurance companies etc.), unless it has assigned such responsibilities to a business associate.
For more information on the HIPAA Security Rule, visit the U.S. Department of Health & Human Services.
Author Allan Ridings is a Senior Risk Management & Patient Safety Specialist for the Cooperative of American Physicians, Inc (CAP).
If you have questions about this article, please contact us. This information should not be considered legal advice applicable to a specific situation. Legal guidance for individual matters should be obtained from a retained attorney.