Understanding the Risks When Your Cloud Provider Lacks HIPAA Knowledge
By JACOB REIDER & JODI DANIEL
Jacob: Recently, I found myself needing to establish a Business Associate Agreement (BAA) with a prominent hosting provider for an innovative health IT initiative. What should have been a simple process turned into an extensive educational journey regarding basic HIPAA compliance—by “fundamental,” I mean the very definitions outlined in the law itself.
This is my experience adn why it’s crucial to be vigilant when developing healthcare technology.
I am working on a platform designed to automate clinical data extraction for research purposes. As any conscientious health tech firm would do, I require infrastructure that complies with HIPAA regulations. The company (which I’ll refer to as Hosting Company or HC) has solid technical capabilities and is managing our growth surroundings. Therefore, I opted for their premium support plan (a prerequisite before they would even consider signing a BAA) and requested their standard agreement.
The Issue at Hand
The BAA provided by HC presumes that every client is classified as a “Covered Entity.” This term refers to health plans, healthcare clearinghouses, or healthcare providers who electronically transmit health information.
This does not apply to me; I am not classified as a Covered Entity but rather as a Business Associate (BA).My role involves managing protected health information on behalf of Covered entities. Consequently, when seeking cloud services, it’s essential that my vendors sign subcontractor BAAs with me.
The Negotiation Process
“To HC’s understanding, even if you are acting as a subcontracted association down the line from another entity involved in this agreement with us… your business still falls under the definition of covered entity since it pertains directly to your operations.”
I had to read this statement multiple times—it was fundamentally incorrect.
Jodi: Allow me to provide some legal insight here; such misunderstandings are more prevalent than one might expect.
The terms “Covered Entity” and “Business Associate” carry specific legal meanings defined in 45 CFR § 160.103—they cannot simply be redefined for convenience’s sake. Generally speaking… covered entities include most healthcare providers and plans along with clearinghouses; business associates are those who access protected health information while providing services on behalf of these entities; subcontractors refer specifically to individuals or organizations delegated functions by business associates.
The regulations clearly state:
Covered entities must establish BAAs with those using protected health information for service provision under 45 CFR § 164.502(e). Furthermore, according to sections §164.502(e)(1)(ii) and §164.308(b)(2),BAs are mandated—not just permitted—to execute BAAs with any subcontractors handling PHI on their behalf.
When this occurs:
- A Covered Entity (like healthcare providers involved in Jacob’s research study) has established BAAs with Jacob’s organization (designating him as a BA).
- This means Jacob must also secure agreements from any Subcontractors like HC who may manage PHI on his company’s behalf.
- This relationship designates HC as another Business Associate through this contractual link.
The importance of these distinctions cannot be overstated when it comes time for compliance audits or assessments by OCR officials or HITRUST evaluators—all expect contractual relationships within data flow processes accurately represented.Jacob: Absolutely… here lies the practical dilemma: signing off on documentation labeling my company incorrectly as a Covered Entity could lead us into serious legal trouble.
After explaining this situation thoroughly—including citing relevant CFR sections mentioned earlier—and providing examples from Google Cloud’s approach which accommodates both types within one document—HC finally agreed after nearly three weeks of discussions.
Your Takeaway From This Experience
Jodi: You’re spot-on Jacob! It’s critical not only legally but ethically too—to avoid signing documents misrepresenting your status within HIPAA frameworks if you’re developing technology solutions related directly back towards patient care systems:
- Cognizance about Your Role Within The HIPAA Framework Is Key!
Are You A CE Or A BA? Most Tech Firms Operate As BAs If They Provide Services To Healthcare Providers And Handle PHI In Their Operations! - Diligently Review Any Proposed Agreements Before signing!
Terminology Matters! if A Vendor Only Recognizes CEs In Their Agreements That Should Raise Red Flags About Their Understanding Of Subcontractor Scenarios! - Dare To Challenge Mischaracterizations!
If Vendors Insist On Language That Misrepresents Your Role Ask Them For Revisions Or Request Access To An Attorney Familiar With These Regulations! - < em >Prepare Yourself For Educational Moments Ahead!</ em>
Many Legal Teams At Cloud Providers May Lack Complete Knowledge Regarding Cascading Requirements Under Hipaa laws So be Ready To Walk Them through It Using Examples From AWS Or Microsoft Azure Who Have Navigated Similar situations Successfully Before!
&nbs
Jacob:
So …