With the vast amount of changes in healthcare regulations, it may have been easy to overlook a portion of the new HIPAA Privacy, Security, Enforcement and Breach Rules that related to cloud computing. Because these rules apply to any person or entity that “creates, receives, maintains, or transmits” any private health information, that means they apply to cloud service providers who are now considered “business associates” of the healthcare clients in the eyes of HIPAA.
If you are a healthcare organization working with Socius or another cloud provider, you need to be aware that your cloud provider must commit to a business associate agreement to comply with the Breach Notification Rule – The cloud computing service provider must also agree to yearly HIPAA audits and that its staff must be trained on cloud data security. Policies and procedures of the cloud provider must also be in accordance with the HIPAA security guidelines.
As a result, both the cloud computing firm and the healthcare company are liable for any violations against the HIPAA rules. Likewise, you as the covered healthcare company are also directly responsible for every action of your cloud computing provider.
I share this with you not to scare you away from doing business in the cloud, because the cloud can be highly efficient and cost effective place for you to move your health records, but to encourage you to take extra care when selecting cloud providers.
If you have any questions about Socius Cloud Solutions or our ability to comply with HIPAA regulations, please contact us today!
Source: CloudTimes, January 24, 2013