All HIPAA/HITECH regulated organizations in the process of selecting a HIPAA compliant cloud hosting provider should expect their chosen vendor to sign a HIPAA/HITECH Business Associate Agreement (BAA).*
It’s not enough to say, “Yeah, we’ve got a signed BAA. We’re good!”
Your BAA is not just a piece of paper that you read only when a problem arises. You should understand what you’re signing. Why?
Under the new rule, your exposure to penalties is increased. You’re responsible for protecting your PHI and ensuring that any subcontractors you use are also compliant. If the cloud hosting provider whom you have chosen to access your ePHI fails an audit or commits a data breach, responsibility also falls on you. (For this reason, it’s wise to get a network vulnerability assessment from an independent auditor who does not maintain the vendor’s network.)
Unlike commodity hosting providers, AISN is a HIPAA cloud hosting expert that provides clients with the assistance they need to understand and comply with HIPAA/HITECH throughout all facets of the engagement process. Before any electronic Protected Health Information (ePHI) and apps are moved to the cloud, AISN helps you put in place an appropriate and effective BAA – a policy that is highly specific to the data that we protect and the cloud hosting and services that we offer. Then, our experts will guide you through the process of understanding your own rights and responsibilities, as well as AISN’s, as established under the BAA.
* A HIPAA Business Associate Agreement (BAA) is a written contract between a HIPAA-covered entity and a HIPAA business associate (BA). It defines the responsibilities of each party to safeguard PHI in accordance with HIPAA guidelines. To learn more, see the U.S. Department of Health and Human Services’ expanded definition.
You may be putting yourself and your organization at risk if you engage with a cloud services provider who:
- Is not a HIPAA cloud hosting expert
- Agrees to sign a BAA and yet has no real clue what it means
- Presents you with a boilerplate BAA that fails to address specific aspects of hosting ePHI