Cloud Communications

  • May 14, 2014
  • Allan Ridings

Medical offices either considering or currently using a cloud-based service for data storage, retrieval, and patient access have specific fortifications that need to be addressed with a Business Associates Agreement (BAA).

Business associates are now separately and directly accountable for compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as well as violations of patient privacy and any security breach notification rules. Penalties for HIPAA noncompliance begin at $10,000 and could reach upwards of $1.5 million per violation.

On-Demand Webinar: Key Strategies for Ensuring a Profitable Independent Practice
During this one-hour program, practice management expert Debra Phairas discusses how various business models and operational enhancements can increase revenue to help your practice remain successful in today’s competitive marketplace.
Watch Now

HIPAA requires business associates to implement safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of Protected Health Information (PHI), and to ensure that any subcontractor (e.g., cloud service, data service, outsourced billing service, etc.) engaged by the business associate in this process to implement similar safeguards.

  • The business associate must review and modify security measures on an ongoing basis to ensure the continued provision of reasonable and appropriate protection of PHI.  
  • If a business associate retains a subcontractor to perform a function or service that involves use or disclosure of PHI, then the business associate is obligated to enter into a BAA with each subcontractor (a subcontractor, contracting to another).  
  • If a breach of PHI occurs at the subcontractor stage, the subcontractor must then notify the business associate, which then must notify the covered entity (medical office/service). The covered entity must then notify the affected individuals (patients, insurance companies etc.), unless it has assigned such responsibilities to a business associate.

For more information on the HIPAA Security Rule, visit this link

Visit our website for a Sample Business Associate Agreement. Or you can download it hereAfter you click the link, choose "Save File" to save the document to your computer.

 

Authored by
Allan Ridings
Senior Risk Management & Patient Safety Specialist

 

If you have questions about this article, please contact us. This information should not be considered legal advice applicable to a specific situation. Legal guidance for individual matters should be obtained from a retained attorney.