New HIPAA Requirements: What Do They Mean for VARs?
On Jan. 25, 2013, the federal government published a revised set of security and privacy requirements under the Health Insurance Portability and Affordability Act (HIPAA) that affected technology vendors and partners alike with changes including a revision to the definition of a Business Associate.
Prior to these revisions, HIPAA imposed legal requirements on vendors who provided certain outsourced services to “Covered Entities” (doctor’s offices, health plans, dentists, etc.) regulated by HIPAA, and who had access to the protected health information (PHI) collected by the Covered Entity. These vendors were called “Business Associates.”
When the new requirements came out in January, the definition of a Business Associate was revised to include any vendor who “creates, receives, maintains, or transmits” PHI on behalf of a Covered Entity. As a result, HHS has fundamentally changed the position of many cloud backup providers.
In short, because being a Business Associate no longer appears to hinge on a vendors access to customer PHI, but on whether vendors receive or maintain customer PHI, cloud vendors that may back up and/or store customer PHI now fall under the scope of HIPAA and are considered Business Associates.
So, what does this mean for cloud vendors and their partners?
Cloud Vendors: To meet the requirements of Business Associates, vendors must implement administrative, physical and technical safeguards that help keep protected health information secure, and enter into Business Associate Agreements (BAAs) with Covered Entities that utilize their services.
Carbonite has spent significant time and resources to ensure it has implemented and documented the appropriate administrative, physical and technical safeguards required by the HIPAA Security Rule to ensure the confidentiality, integrity and security of its HIPAA-compliant customers' PHI. As a result of this process, Carbonite was able to start signing BAAs Sept. 3, weeks before the federal deadline.
Partners: When evaluating cloud vendors for your HIPAA-compliant customers (Covered Entities), make sure to ask if they are in compliance with the new HIPAA regulations that went into effect Sept. 23. Vendors should be able to show you a copy of their BAA and provide you with details on what policies and safeguards they’ve put into place to secure protected health information. Carbonite, for its part, has implemented safeguards that include monitoring login attempts, encrypting all user data, and implementing internal and external access and authorization procedures.
Have you made any changes in your business as a result of the new HIPAA regulations? Let us know in the comments below. For more information about Carbonite’s HIPAA-compliant backup solutions for small businesses, call 877-391-4759 or email firstname.lastname@example.org.
David Hauser is Senior Director, Channel Development at Carbonite, a leading cloud backup service provider. Monthly guest blogs such as this one are part of The VAR Guy’s annual platinum sponsorship program.