HIPAA – Just Doing It Is No Longer Enough

The HIPAA Final Omnibus Rule (the “Final Rule”), published in January 2013, has made many changes to the HIPAA regulations.

Data centers who handle protected health information (PHI) for their clients invariably have to comply with HIPAA provisions. However, it is not enough that data centers simply provide the data protection and safeguard measures stipulated in the act. The new “Final Rule” makes a business associate agreement (BAA) essential.

Many covered entities are not yet aware of the need to have a BAA. Among those who realize the necessity of a BAA, many sign the BAA with data centers and other agencies handling their PHI data without considering the implications of the provisions in the agreements. Entities covered by HIPAA, but unaware of the details of the act, need to look for the following when signing BAA and entrusting their PHI to third-party data centers.

• Check Ability to Implement: Take a close look at the key provisions of “The Final Rule”, such as breach notifications, indemnification, reporting time-frames, insurance, state laws and more, and check whether the data center has the infrastructure and systems in place to deliver as promised. Clients also need to specifically look for basic security and protection measures, such as data-in-motion encryption with HTTPS and data at rest encryption.
• Check Extent of Implementation: Make sure the data center implements the terms of the BAA in its daily operations, including setting privacy policies, procedures, standards, training, controls, metrics, monitoring and governance.
• Check whether Data Center has Third-Party Validation. Data centers who have secured third-party HIPAA compliance validation from any leading HIPAA security law send out a strong message that they actually have procedures and safeguards in place to comply with what is written in the BAA.
• Check who has drafted the BAA: Data centers need to provide clients with “Covered Entity” and “Business Associate” versions of the updated BAA. Data centers that draft a BAA using the help of a leading and reputable legal authority adds to their credibility.
• Consider training workforce: A trained workforce is important when trying to achieve HIPAA compliance. Make sure that the data center trains employees regularly. Without training, implementation will usually be poor, resulting in a waste of time even the strongest of policies.
• Check compliance: Above all legal terms, make sure that the data center has a culture of HIPAA privacy and security. The data center being open and welcoming to the need for updating BAA’s and working proactively towards achieving best practices is a tell-tale sign of such a culture.

Those who are wondering what to include in the BAA could look up sample BAA provisions listed on the U.S. Department of Health and Human Services website. These provisions are, however, only a sample to get started, and signatories to the agreement are free to customize the BAA as they see fit, depending on their specific requirements.

The Final Rule mandated all BAAs to comply with current HIPAA regulations fully by September 22, 2014. Non-compliance could attract legal prosecution and penalties, with fine ranging up to $1.5 million.

Lifeline Data Centers fosters a culture of compliance, security and excellence. We are consistently working to improve our services, and we are proud to say we are one of the most compliant data centers in the nation. To learn more, schedule a tour with us today.

Alex Carroll

Managing Member at Lifeline Data Centers

Alex, co-owner, is responsible for all real estate, construction and mission critical facilities: hardened buildings, power systems, cooling systems, fire suppression, and environmentals. Alex also manages relationships with the telecommunications providers and has an extensive background in IT infrastructure support, database administration and software design and development. Alex architected Lifeline’s proprietary GRCA system and is hands-on every day in the data center.