HIPAA Compliance and Data Storage — Major Changes for Business Associates

Changes in HIPAA Compliance and Data Storage

On September 23, 2013 HIPAA Compliance is mandatory for Covered Entities as well as Business Associates and Subcontractors that create, receive, maintain, or transmit Protected Health Information (PHI).  The presentation below goes into significant detail on several aspects of HIPAA Compliance and Data Storage to help Covered Entities and Business Associates.

The new HIPAA Final Rule is very different from previous years and changes in HIPAA in that Business Associates (and their subcontractors) are now fully and directly liable for HIPAA violations.  Covered Entities, however, are not entirely “off the hook” for downstream HIPAA Compliance due to the implementation of Federal common law of Agency (see presentation for more details).

Business Associates (and appropriate subcontractors) may only need to comply with some of the Privacy Rule, depending on how the Business Associate Agreement is structured.  All Business Associates (and subcontractors who act as Business Associates) must comply with the entire Security Rule.  Obviously, this impacts HIPAA Compliance and Data Storage.

HIPAA Compliance and The Security Rule

The HIPAA Security Rule has 42 Implementation Specifications (listed in the presentation) that are either Required (20) or Addressable (22).  There is also a set of Organizational Requirements that speak to the documentation needs for HIPAA Compliance.

The Implementation Specifications are grouped into three categories to help Covered Entities and Business Associates understand and manage them.  The categories, or Safeguards, are:  Administrative Safeguards, Physical Safeguards, Technical Safeguards.  By and large these have been around for years but only since the HIPAA Final Rule became effective on March 26, 2013 have these Safeguards applied to Business Associates.

HIPAA Compliance and Data Storage

HIPAA Compliance and  Data Storage

HIPAA Cloud Hosting

One particular area to note is the realm of HIPAA Compliance and Data Storage, or sometimes simply called “hosting”.  Web hosting (and more recently Cloud Hosting) has been around for well over a decade.  However, there has not been much guidance about HIPAA Compliance and data storage companies as Business Associates… until the HIPAA Final Rule:

For example, a data storage company that has access to protected health information (whether digital or hard copy) qualifies as a business associate, even if the entity does not view the information or only does so on a random or infrequent basis.

For Covered Entities or Business Associates who store Protected Health Information with web hosting companies or cloud providers, now is the time to ensure that PHI is part of a HIPAA Compliance regimen.  HealthCare Too offers these three simple questions to help Covered Entities and Business Associates determine if they need HIPAA Cloud Hosting:

1) Does the organization have a Business Associate Agreement with the hosting provider?
2) Has the hosting provider implemented appropriate safeguards to comply with HIPAA?
3) Can the organization retrieve all backups, audit logs, and other system administration material for the account from the hosting provider?

If the answer to all three questions is not “Yes”, HealthCare Too’s HIPAA Cloud Hosting provides the assurance of high-performance, medical-grade HIPAA Cloud Hosting in a HIPAA audited data center (auditor report available).

Leave a Reply