Basic rule to determine cloud provider’s HIPAA compliance

The HIPAA Omnibus Rule made major changes to how Business Associates are regulated under HIPAA.

How can I tell if my cloud vendor is HIPAA compliant?

One of the most frequent questions that we get asked by clients:

How can I tell if my cloud vendor is HIPAA compliant?

A lot goes into being HIPAA compliant and it is hard enough ensuring that your organization is compliant let alone trying to determine if another organization is compliant. There is a basic rule that you can use to help weed out companies that are not compliant.

The HIPAA Omnibus Rule makes it clear that if you are storing electronic protected health information (ePHI aka patient information) on any servers that are not your own, that vendor MUST sign a HIPAA Business Associate Agreement (BAA). If the vendor says they don’t need to sign a BAA or refuses to sign a BAA, then you should not use them to store or maintain ePHI. Signing a BAA does not make them HIPAA compliant but without signing the BAA they can’t be HIPAA compliant.

Examples of cloud Business Associates

Here are some examples of companies that would be Business Associates (BA) if you are storing ePHI on their servers

• Dropbox – if you use Dropbox to store ePHI they would be a BA (as of today they will not sign a BAA)
• AOL, Yahoo, Comcast, Optonline, etc.) – if you are using any of these for email and the emails contain ePHI then they would need to sign a BAA (as of today none of the vendors will sign a BAA)
• Box – if you use Box to store ePHI they would be a BA (Box will sign a BAA)
• Microsoft Office 365 – if you are using any products in the Office 365 suite i.e. Exchange Online, SharePoint Online, etc. they would be a BA. (Microsoft will sign a BAA)
• Google Gmail or Google Apps – we go into detail here about Google’s wiliness to sign a BAA

Take away

A Business Associate Agreement does not make an organization HIPAA compliant but is a requirement and a step in the right direction for Business Associates. A vendor that refuses to sign a BAA sends a clear signal that they are not complying with HIPAA Omnibus regulations and should not be used to store or disclose ePHI to. There are some exceptions to the rule (i.e. your Internet ISP such as Verizon or AT&T are not required to sign a BAA) but for the most part if you use the BAA as a rule of thumb it will help weed out vendors that are not HIPAA compliant.