Yes you are a HIPAA Business Associate! It’s what the law says that counts!

HIPAA Business Associate Avoidance

The HIPAA Omnibus Final Rule (see page 5572) was announced in January, 9 months ago, and was very clear that a business that stores electronic Protected Health Information, even if it doesn’t access it, is a HIPAA Business Associate. That’s why Google Apps and Amazon Web Services, and many others, each agreed it was a HIPAA Business Associate rather than face the resulting loss of business if they didn’t.

They must have figured out that you don’t have to be a traditional health care business to have to comply with HIPAA. Many companies that support health care providers and payers are HIPAA Business Associates, like lawyers that represent doctors and hospitals in patient lawsuits; accountants that audit health care clients; collections companies; insurance agents, and more. Any patient data stored in their systems is just as protected as a patient’s record in a doctor’s system.

The HIPAA Omnibus Final Rule says in clear, simple English…

“…an entity that maintains protected health information on behalf of a covered entity is a business associate and not a conduit, even if the entity does not actually view the protected health information.

To help clarify this point, we have modified the definition of “business associate” to generally provide that a business associate includes a person who “creates, receives, maintains, or transmits” (emphasis added) protected health information on behalf of a covered entity.”

Storing data, even if it is encrypted and behind locked cage or cabinet doors, qualifies a data center, cloud service, and online backup provider as a HIPAA Business Associate.

Enforcement was suspended to give everyone time to comply. So why, after enough time to have a baby, are companies that ‘maintain’ (store) protected health data still denying that they must comply with the law?  I have withheld the names of the following companies that are denying they are HIPAA Business Associates.

Just this week I saw the following from an online backup company:

 Business Associate Agreement

Our customers have a private encryption key that is self-managed. So a business associate agreement is not required with _____. This covers the reasonable          probability that protected health information can be accessed.

Really? That’s not what the law says.

There is no exemption in the Omnibus Final Rule related to the management of encryption keys so according to the law _____ is a Business Associate.

The reality in the IT world is that small and medium businesses hire outsourced IT companies to manage their networks. Most clients would not know what to do with encryption keys, so they have their IT vendor manage them so their data can be accessed and recovered after a disaster.

While it is virtually impossible to hack into a file protected with 256-bit encryption, it is much easier to hack into many of the weak systems people use to store their encryption keys.

In its HIPAA marketing one large online backup company advertises that you can get to your data “Anytime, Anywhere” provided the user is not managing their own encryption key.

Isn’t that like buying an expensive lock for your door and then hanging the key on the doorknob?

We Promise We Won’t Touch Your Data

A well-respected data center sent this in a contract addendum to a client in response to a request for a Business Associate Agreement:

Customer Data.    The  parties  acknowledge   and agree  that  _____  does  not require  or request  access  to, use of, or receipt  of information  transmitted,  stored or processed  on or through  the Customer  Equipment  (including  end customer  information)  (“Customer  Data”) in connection   with  the  performance   of  ______’s   obligations   under  the  CFA.    ______  covenants   not to  access  or  attempt  to  access  any Customer  Data without  the prior written  consent  of Customer…

Really? That’s not what the law says.

______ cannot substitute a “covenant not to access data” to deny the FACT that according to the law it is a Business Associate. And, there is no exemption for encrypted data. If ePHI is stored in its facility then the data center is a Business Associate.

Don’t Worry, It’s Encrypted

I recently sat in on a webinar put on by an online backup company. Their ‘HIPAA expert’ told their IT reseller partners that “if the health data they came in contact with was encrypted then they were not Business Associates and did not have to sign agreements.”

Really? That’s not what the law says.

There is no exemption for encryption so their partners that come in contact with ePHI, even if encrypted, are Business Associates.

To all of you HIPAA-deniers, you can run but you can’t hide. You are a HIPAA Business Associate no matter what you say.

“…an entity is a business associate if the person or entity meets the definition of “business associate,” even if a covered entity, or business associate with respect to a subcontractor, fails to enter into the  required business associate contract with the person or entity.” HIPAA Omnibus Final Rule

If you store ePHI that is encrypted, locked in cages and cabinets, that you swear you will never access, you are a HIPAA Business Associate.

If you won’t acknowledge your compliance responsibilities under the law, anyone storing ePHI with you is committing a HIPAA data breach, with fines up to $ 1.5 million per occurrence.

If you are running away from HIPAA your customers should be running away from you.

Google Update

“When you put your data in Google Apps, you still own it, and it says just that in our contracts.”

In late September Google quietly began offering HIPAA Business Associate Agreements (BAA) to businesses that purchase its premium Google Apps for Business cloud services. BAA’s are available on request after you answer just a few basic questions. The Terms and Conditions for Google Apps for Business guaranty the security of your information.

IMPORTANT! – Google is NOT offering Business Associate Agreements to those using their FREE Gmail service. A medical or dental practice using free Gmail to send and receive electronic Protected Health Information is committing a HIPAA data breach because (a) Google will not sign a BAA and (b) Google’s terms and conditions allow them to share—even publish— anything in free Gmail.

"originally written for 4MedApproved"