Despite the fact that the new HIPAA Business Associate Agreement (BAA) regulations went into effect in 2013, many healthcare organizations are still encountering the occasional cloud service provider who refuses to sign a BAA. Although they may have a logical explanation, any refusal to sign a BAA should be seen as a red flag.
Here’s the logic from their angle. There are still many cloud vendors who view themselves more as conduits of Personal Health Information (PHI). They feel their role is more akin to that of a mailman. They’re merely transporting data to others and have no real access to the actual contents.
If the data is encrypted and cannot be read, or If they don’t touch the actual PHI data at all, the cloud service vendor will argue that HIPAA regulations do not apply to them and possibly refuse to sign a BAA.
Fair enough, right? If the data is encrypted and the vendor doesn’t hold the encryption key, what’s the problem? Well, here’s the problem.
File this in the unlikely yet not improbable category. Let’s say that the PHI data wasn’t properly encrypted before it was sent into the cloud or unencrypted data was mistakenly transferred over to the cloud service provider. If the cloud provider has refused to sign a BAA, this jeopardizes your HIPAA compliance and could potentially result in a fine anywhere from $50,000 to $1.5 million.
This is why those in the healthcare sector must move on from any cloud provider that is reluctant to sign a BAA. They are basically refusing to be complaint since the new HIPAA Omnibus Rule clearly defines a business associate as anyone who creates, receives, maintains, or transmits PHI on behalf of a covered entity. By refusing to share accountability for HIPAA compliance, they’re a liability to your organization that you just can’t afford.