As more physicians incorporate EHR systems into their practices, many are considering the cost-saving potential of cloud-based storage companies to house these records. Some of our members have come across companies such as these that are not familiar with HIPAA compliance requirements and therefore will not sign business associate agreements with the member’s EHR service provider as required by law.
But make no mistake — it is established law that HIPAA’s privacy and security requirements do apply to vendors who provide cloud-based EHR products.
When a company refuses to sign a business associate agreement, there is a good chance the company is not taking the steps business associates are supposed to take to guard patients’ protected health information, such as conducting risk analyses, creating audit trails, and instituting basic security controls.
If your EHR vendor or cloud storage vendor refuses to sign a business associate agreement, you should find another vendor. For more information on this subject, visit the U.S. Department of Health & Human Services website.
WANT MORE HIPAA COMPLIANCE RESOURCES? Get our free HIPAA Compliance Action Guide, filled with step-by-step advice and a helpful checklist for ensuring your practice stays compliant. Download the HIPAA Compliance Action Guide.
If you have questions about this article, please contact us. This information should not be considered legal advice applicable to a specific situation. Legal guidance for individual matters should be obtained from a retained attorney.