Some of the big public cloud providers are trumpeting the fact that they will now sign business associate agreements (BAA), a required contract between HIPAA-covered entities and business associates intended to ensure protection of protected health information (PHI). It only took three to four years to get around to it. Better late than never, so the saying goes.
Since 2010, BAAs started to be used to cover enterprise cloud services; several recent news items incorrectly stated that they are only just beginning to be used for this purpose. Before 2010, the use of BAAs pertained mostly to on-premise software.
Peak 10 has undergone HIPAA compliance auditing since 2010 (two years before cloud providers were required to do so) and has supported HIPAA and HITECH compliance for years. It still is among the few vendors that offer a HIPAA-compliant cloud configured specifically with managed services that help covered entity clients meet many HIPAA security requirements for protecting electronic PHI (ePHI).
Our company’s commitment to regulatory concerns and demands pre-dates many of the better-known laws and industry requirements. Early on when many customers in the Raleigh area were FDA regulated clinical research organizations (CROs), we aligned ourselves with those requirements to serve them better. We haven’t looked back since.
Today, the list is long. Peak 10 is audit-ready for customers needing assistance in meeting the requirements of HIPAA/HITECH, as well as:
- SSAE 16 (SOC 1, SOC 2, SOC 3)
- Food and Drug Administration
- Payment Card Industry (PCI) Data Security Standard (DSS)
- Sarbanes-Oxley (SOX)
- ISO 27001
- Gramm-Leach-Bliley (GLBA)
BAAs scare off many would-be suppliers. A December article in the Wall Street Journal quoted the CIO of the University of Colorado Health, Steve Hess. “They’re unwilling to sign the HIPAA agreements and unwilling to live up to service levels,” he said. He also said these vendors typically include large companies that built a health care business as an ancillary service.
While some public cloud providers say they may now be willing to sign BAAs, that doesn’t mean they actually will. Even more important than the BAA is the set of appropriate physical, technical, and administrative safeguards that support it. Coming to terms between the customer and the service provider is not a slam dunk, mostly because the customer wants terms that the providers are willing not to accept. A lack of flexibility in their offerings and an unwillingness to tailor solutions specific to customers’ needs are the probable reasons for this disconnect.
Healthcare professionals also need to remember that HIPAA compliance, like all IT security, involves complex systems comprised of people, policies and practices. You still need effective password policies, security measures such as two-factor authentication and appropriate user permission settings and encryption of PHI The BAA is just one piece of a complex system needed to protect PHI. But having a provider that wants to be your partner – a true partner – in compliance assurance goes a long way to ease the burden and lessen the complexity.