The Clock is Ticking on Your Cloud Vendors

By Maureen Kaplan
April 03, 2013
08:29 AM

All organizations have a business imperative to control risk.  For healthcare companies that corporate responsibility extends to the protection of ePHI within their organization.  The HIPAA Omnibus rule outlines this responsibility with a refined definition of responsible parties, notably your outsourced storage vendors and subcontractors.  

This final rule is a call to action, with a six month timeline (September 23, 2013 being the compliance date), to make sure your vendor relationships for cloud computing and hosted data storage are with a company who will stand behind their security controls and oversight with a Business Associate Agreement (BAA).  

Your vendor should provide you with specific details about the physical location of your data along with the technical, administrative and physical safeguards in place at that location. This is an ideal time to dive into the details with your vendor, ask the tough questions about their controls and security methodology, and document that evidence for your compliance team.  

As an example, if, after the compliance date, a security or breach was to occur and it’s determined that the vendor who has storage responsibility for ePHI was involved, and that vendor was not a Business Associate (BA), the Covered Entity who hired that vendor (i.e. the healthcare organization) can be found liable and face civil money penalties (CMP) for each violation found.

The penalties will be tiered and stem from low hundreds (for minor “unknowing” infractions) to high, $50K+, (for serious “willful neglect” infractions).  The onus will then be on the Covered Entity and the Business Associate to provide the justification/interpretation of the HIPAA Omnibus rule for continuing the vendor relationship outside of a BA.

These efforts will pay off in terms of better risk management and alignment to the final rule on HIPAA compliance.  Your healthcare organization is held to a high standard for protecting personal data privacy, and your subcontractors, vendors and partners must be as well.

In my next post, I’ll discuss why this section of HIPAA’s omnibus rule is important for all healthcare entities – especially those that outsource critical parts of their networks – and why healthcare providers need to be cognizant of their timelines for compliance.  
 

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

Abstract of lines connected in a mesh over a map of the U.S.
Epic APIs move to USCDI v3

Most Read

Thailand-Russia cooperate for telehealth and more briefs
Generative AI is this CISO's 'really eager intern'
HIMSSCast: Toward safer and more secure use of AI
Q&A: How redundancy enabled resilience after Crowdstrike outage
Salesforce to launch pre-built AI tools for healthcare
What providers need to know about migrating their EHR to the cloud

Research

White Papers

More Whitepapers

Patient Engagement
Patient Engagement
Financial/Revenue Cycle Management

Webinars

More Webinars

Imaging
Interoperability
Artificial Intelligence

More Stories

UC Davis Medical Center and chief AI officers
CAIOs must understand policy and business strategy, in addition to healthcare and IT
Dennis Chornenky at UC Davis Health_PART 2_AI in healthcare concept art Photo by Just_Super/E+/Getty Images
Chief AI officer: Multidimensional tech needs multidimensional leadership
Dr Der-Yang Cho at China Medical University Hospital_HIMSS24 APAC
A Taiwanese hospital's commitment to healthcare AI
Dennis Chornenky of UC Davis Health on chief AI officers
Chief AI Officer: Healthcare's hot new role demands a rare combination of skill sets
Doctor looks at a desktop computer screen in a medical office
Vendor AI Roundup: Enhanced EHR offerings designed to give practices a leg up
Dennis Chornenky at UC Davis Health_PART 1_AI in healthcare concept art Photo by Just_Super/E+/Getty Images
UC Davis Health's inaugural AI chief discusses the responsibilities of the role
Greg Garcia of HSCC at the HIMSS Healthcare Cybersecurity Forum
Work like 'a beehive, an ant colony' to protect against cyber intruders
Hands use a Medtronic device on a patient's hand to aid in testing pulse oximetry quality
Medtronic dismissed from pulse oximeter lawsuit, FDA still working on guidance