As an organization that provides health or human services, you are already well versed in all of the HIPAA requirements that regulate your organization. But are you as confident about the compliance of the organizations that are considered your “business associates?”
As stipulated in the Omnibus Rule, all of your technology providers, including your ERP, CRM, and even Cloud providers, need to work with you to develop and sign HIPAA Business Associate Agreements which define both parties’ roles in protecting personal healthcare information (PHI). However, there is an exception to the rule that is causing some confusion.
The Conduit Exception is a line in the “Exceptions to the Business Associate Standard” that states that “a person or organization that acts merely as a conduit for protected health information, for example, the US Postal Service, certain private couriers, and their electronic equivalents” is exempt from the regulations. Many cloud providers believe that this exception applies to them because they see themselves simply as “conduits” for information.
However, according to an article by the BakerHostetler law firm titled, “HIPAA, Business Associates and the Cloud,” cloud providers do NOT fall under this exception. BakerHostetler maintains that “Under the Final Rule, the conduit exception only includes courier services that transport information (persistent vs. transient opportunity to access PHI). As such, covered entities must ensure that their cloud service providers are safeguarding patient information.”
Therefore, if you are leveraging cloud EHRs, e-prescribing and IT health service desks, or if your back-office systems including your cloud ERP or CRM online solutions contain PHI, then you must have your vendors sign a Business Associate Agreement.
Socius Cloud Services understands our obligations to our healthcare clients in providing HIPAA compliant business solutions. Contact us to learn more about how to ensure that your cloud providers are not leaving you vulnerable to HIPAA violations.