The Clock is Ticking on Your Cloud Vendors

All organizations have a business imperative to control risk.  For healthcare companies that corporate responsibility extends to the protection of ePHI within their organization.  The HIPAA Omnibus rule outlines this responsibility with a refined definition of responsible parties, notably your outsourced storage vendors and subcontractors.  

This final rule is a call to action, with a six month timeline (September 23, 2013 being the compliance date), to make sure your vendor relationships for cloud computing and hosted data storage are with a company who will stand behind their security controls and oversight with a Business Associate Agreement (BAA).  

Your vendor should provide you with specific details about the physical location of your data along with the technical, administrative and physical safeguards in place at that location. This is an ideal time to dive into the details with your vendor, ask the tough questions about their controls and security methodology, and document that evidence for your compliance team.  

As an example, if, after the compliance date, a security or breach was to occur and it’s determined that the vendor who has storage responsibility for ePHI was involved, and that vendor was not a Business Associate (BA), the Covered Entity who hired that vendor (i.e. the healthcare organization) can be found liable and face civil money penalties (CMP) for each violation found.

The penalties will be tiered and stem from low hundreds (for minor “unknowing” infractions) to high, $50K+, (for serious “willful neglect” infractions).  The onus will then be on the Covered Entity and the Business Associate to provide the justification/interpretation of the HIPAA Omnibus rule for continuing the vendor relationship outside of a BA.

These efforts will pay off in terms of better risk management and alignment to the final rule on HIPAA compliance.  Your healthcare organization is held to a high standard for protecting personal data privacy, and your subcontractors, vendors and partners must be as well.

In my next post, I’ll discuss why this section of HIPAA’s omnibus rule is important for all healthcare entities – especially those that outsource critical parts of their networks – and why healthcare providers need to be cognizant of their timelines for compliance.