Did you know if you’re a cloud service provider you are required to sign a business associate agreement (BAA) if the healthcare organization you’re working with is handling protected health info (PHI)? Why is it so important not just to be reliable but also HIPAA compliant cloud?
Last week the U.S. Department of Health and Human Services released useful guidance clarifying that a business associate agreement is required for cloud service providers that could be storing PHI on behalf of healthcare organizations (even if they don’t know it). This includes providers like Amazon Web Services (AWS) or Dropbox, and is true whether a healthcare organization is using these services or they are being utilized by one of the business associates they’re contracting with.
Additionally, the HHS guidance clarified that a BAA is required even if the cloud storage provider has no access to the PHI because it is encrypted by you, and the cloud provider does not have access to the encryption key. There was some debate on this topic before the guidance, but now it is clear a BAA is required even if the cloud provider cannot access the information. As the guidance points out, the cloud provider still has persistent access (as opposed to transient access that allow for the conduit exception to apply), and must maintain various safeguards to ensure the PHI is maintained in its encrypted state.
Many of the major cloud storage provers (most notably AWS) have been willing to execute BAAs for some time. If you’re a healthcare organization and you’re storing PHI in the cloud and do not have a BAA in place with the cloud provider, you must execute one in short order. Most likely you do not have a BAA in place because the cloud provider is unaware you are storing PHI on their systems. Once you make them aware, it is likely they will willingly sign a BAA.