Cloud // Software as a Service
News
4/30/2013
10:55 AM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Microsoft Updates Cloud Agreement For HIPAA Rules

Microsoft responds to new HIPAA regulations that make cloud service providers "business associates" of healthcare providers and health plans.

10 Mobile Health Apps From Uncle Sam
10 Mobile Health Apps From Uncle Sam
(click image for larger view and for slideshow)
Cloud service providers are starting to take notice of the new HIPAA security regulations that define them as "business associates" of HIPAA-covered entities such as healthcare providers and health plans. Microsoft has just announced a revised business associate agreement (BAA) for its cloud services that reflects the new HIPAA Omnibus Rule governing data security. Last week, Box, which offers another cloud storage and information sharing platform, made a similar announcement, claiming that its compliance with the latest HIPAA regs distinguishes it from most of its competitors.

Among other things, the HIPAA Omnibus Rule, which went into effect March 26, requires covered entities to sign BAAs with business associates that commit the latter to protect personal health information (PHI) when it's under their control. The business associates must also sign BAAs with subcontractors that have access to PHI. And business associates are directly accountable to the Office of Civil Rights in the Department of Health and Human Services for security breaches.

The definition of "business associate" has also changed, noted Hemant Pathak, assistant general counsel of Microsoft, in an interview with InformationWeek Healthcare. Now it includes firms that maintain and store PHI, such as cloud storage providers, as well as those that create, receive or transmit PHI.

[ Are your patients involved enough in their own care? Read 7 Portals Powering Patient Engagement. ]

Microsoft's new BAA applies to Office 365, Microsoft Dynamics CRM Online and Windows Azure Core Services. Microsoft HealthVault, the company's personal health record platform for consumers, has had its own BAA since 2009. That pact has also been upgraded in accordance with the Omnibus Rule, Pathak said.

Microsoft put a BAA in place for Office 365 in 2010 and subsequently offered it for its other cloud services. It developed the agreement in conjunction with a consortium of covered entities, including health insurer WellPoint and the academic medical centers of Duke University, the University of Iowa and Thomas Jefferson University, Pathak said. That initial BAA complied with the proposed HIPAA requirements embodied in the HITECH Act of 2009.

"All those customers told us, with HITECH coming online, that a BAA was a threshold minimum requirement to consider a subscription to a cloud service such as Office 365," Pathak said.

The first customer to sign the revised BAA was Johns Hopkins University, he noted. In addition, the Texas Department of Health and Human Services and the city of Chicago have already signed the agreement, he said.

Microsoft's strategy in offering a single BAA that covers all of its cloud services (HealthVault excepted) is to make life easier for its customers, said Dennis Schmuland, Microsoft' chief health strategy officer, U.S. health & life sciences, in an interview. "We're trying to simplify things for the customers and enable them to consolidate their cloud strategy under a single governance, risk and compliance framework," he said. "That allows them to have a BAA for multiple cloud offerings, whether they're for productivity, communications, collaboration, data hosting, application hosting or CRM. One business associate agreement serves all of those."

The new BAA has been designed to fit entities of every size, from a five-physician practice to a 50,000-user organization such as Advocate Healthcare in Chicago, Pathak said. While some customers have asked Microsoft to enter their own agreements, he said, the company insists that everyone sign its BAA.

"It's not really feasible and not scalable for us to manage that subscription service out of our data centers to each individual customer's requirements," he explained. "It has to be managed and delivered in a uniform process to all our subscribers."

Some healthcare providers have not asked cloud service providers to sign BAAs in the past, but any covered entities that fail to enter these agreements run a serious compliance risk, Pathak noted. Schmuland agreed. "We'll provide the protections, regardless, and we'll help them comply. But if they choose not to sign a BAA, they're at risk," he said.

Beyond the HIPAA security requirements, he added, Microsoft is also committed to protecting the privacy of PHI, both for covered entities and consumers. The company promises not to mine the data or use it for any secondary purposes, and it guarantees that it will not commingle data from one covered entity with that of any other entity that uses its cloud services.

Regulatory requirements dominate, our research shows. The challenge is to innovate with technology, not just dot the i's and cross the t's. Also in the new, all-digital The Right Health IT Priorities? issue of InformationWeek Healthcare: Real change takes much more than technology. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jaysimmons
50%
50%
jaysimmons,
User Rank: Apprentice
5/12/2013 | 5:21:55 AM
re: Microsoft Updates Cloud Agreement For HIPAA Rules
With the amount of cloud services available right now, the providers have to always take into account any changes in HIPAA regulations, especially if any health provider is to use their service. All providers and entities that deal with PHI need to take into account that their cloud providers need to offer them the protection necessary to comply with HIPAA regulations as the repercussions can be costly. Signing these BAAG«÷s help protect these companies against any miscues.

Jay Simmons
Information Week Contributor
Kevin Henry
50%
50%
Kevin Henry,
User Rank: Apprentice
4/30/2013 | 9:40:17 PM
re: Microsoft Updates Cloud Agreement For HIPAA Rules
This article brings up some good points that a lot of organizations that are now classified as Business Associates are unaware of in terms of HIPAA Compliance. The fact that these businesses are directly liable for any security breach and the possibility of a $1.5M fine should be an eye opener. This is why we are building Accountable (http://accountablehq.com) to help organizations manage their HIPAA compliance including Business Associate Agreements, employee training, and policies and procedures.
The next wave in APM
The next wave in APM
Find out how to get the benefits of application monitoring while avoiding the complexity and performance headaches.
Register for InformationWeek Newsletters
White Papers
Current Issue
Video
Slideshows
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.