Are Cloud Providers a “Conduit Exception” to the HIPAA Omnibus Rule?

Phil Wittmer | |

Cloud computing providers do NOT fall under the conduit exception to the HIPAA Omnibus Rule and must sign Business Associate Agreements

Table of Content

    As an organization that provides health or human services, you are already well versed in all of the HIPAA requirements that regulate your organization.  But are you as confident about the compliance of the organizations that are considered your “business associates?”

    As stipulated in the Omnibus Rule, all of your technology providers, including your ERP, CRM, and even Cloud providers, need to work with you to develop and sign HIPAA Business Associate Agreements which define both parties’ roles in protecting personal healthcare information (PHI).  However, there is an exception to the rule that is causing some confusion.

    The Conduit Exception is a line in the “Exceptions to the Business Associate Standard” that states that “a person or organization that acts merely as a conduit for protected health information, for example, the US Postal Service, certain private couriers, and their electronic equivalents” is exempt from the regulations.  Many cloud providers believe that this exception applies to them because they see themselves simply as “conduits” for information.

    However, according to an article by the BakerHostetler law firm titled, “HIPAA, Business Associates and the Cloud,” cloud providers do NOT fall under this exception.  BakerHostetler maintains that “Under the Final Rule, the conduit exception only includes courier services that transport information (persistent vs. transient opportunity to access PHI). As such, covered entities must ensure that their cloud service providers are safeguarding patient information.”

    Therefore, if you are leveraging cloud EHRs, e-prescribing and IT health service desks, or if your back-office systems including your cloud ERP or CRM online solutions contain PHI, then you must have your vendors sign a Business Associate Agreement.

    Socius Cloud Services understands our obligations to our healthcare clients in providing HIPAA compliant business solutions.  Contact us to learn more about how to ensure that your cloud providers are not leaving you vulnerable to HIPAA violations.

    Gears depicting functionality

    Getting the Most From Your ERP Functionality

    John Antman

    Overview General Ledger, journal entries (JE’s) are made for a variety of reasons. For example, JE’s are used to record GL adjustments, accruals and recurring entries (e.g. depreciation or expense allocations). If external systems are used and not integrated with the GL (e.g. Payroll), JE’s can be used to enter the external system’s transactions into…
    LEARN MORE
    supply chain image of storage products

    Why Supply Chain Management is Important for Your Business

    Phil Wittmer

    Supply chain management (SCM) is a big deal. After all, a well-managed supply chain enables you to maintain a competitive advantage, tackle complex challenges, and capture new opportunities. It’s also an expansive, complex strategy spanning everything from procurement and shipping to manufacturing, inventory, and supplier relations.  In this article, we’ll explain what SCM is, why…
    LEARN MORE
    X