The Health Information Portability and Accountability Act (HIPAA) is a regulatory body with the purpose of safeguarding the protected heath information (PHI) of patients. While HIPAA is typically seen as a set of regulations specifically for healthcare providers, it’s actually more far reaching than that; pharmaceutical companies, insurance providers, and any other organization that comes into contact with patient PHI are required to be HIPAA compliant, as well. With all these organizations, it’s fair to say that the HIPAA industry is vast – and growing. In fact, an estimated 26 million Americans will be required to be HIPAA compliant by 2022.
But even more important than the size of the industry is the extent of the job they’re required to do. With modern medical advancements, healthcare has become so complex that oftentimes one single institution can’t do it all. Instead, they rely on specialized partners and other third-party healthcare organizations to help. In addition, billing, legal, finance, and other administrative tasks are often outsourced to enable the institution to focus exclusively on patient care.
Regardless of the outsourced company’s specific industry or purpose, if they come into contact with patient protected health information (PHI), the covered entity must ensure that sensitive health information remains protected. Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards. These are three rules of HIPAA:
HIPAA requires that covered entities have a business associate agreement (BAA) with these third-party contractors to ensure they also meet the HIPAA requirements. Simply stated, a BAA enables the provider to disclose patient PHI to these business associates, as necessary for the associate to perform their duties and while requiring the provider to handle that information in accordance with HIPAA. Any associate that further subcontracts any HIPAA related work with another contractor also needs a BAA (often termed a BAA – BAA) with that subcontractor. According to the U.S. Department of Health and Human Services, BAAs pertain to cloud service providers (CSPs) as well, even if the CSP only processes or stores encrypted ePHI and lacks an encryption key for the data.
The BAA is therefore tremendously beneficial to the covered entity, because it enables them to outsource essential business and administrative functions to third parties that can handle them quickly and cost-effectively without jeopardizing their HIPAA compliance. But it’s essential to choose the right partner – one that not only understands HIPAA regulations, but also whose business model is best suited to maintain compliance.
The Business Associate Agreement (BAA) is required when an individual or entity performs functions or activities on behalf of a covered entity. Here is the full agreement from HHS.
Morro Data CloudNAS is a hybrid cloud storage solution that enables covered entities to use the cloud for their primary and secondary storage solution. CloudNAS is an ideal solution for HIPAA-covered entities because it blends the best of both worlds; like a traditional on-premises solution, it enables entities to maintain centralized IT control over their PHI, yet its cloud-first architecture also delivers the security and advanced data protection that only the cloud can provide. And Morro Data already adheres to stringent HIPAA regulations. Morro Data also has BAA’s with its cloud object store providers. For covered entities, Morro Data has a standard BAA that follows the HIPAA requirements available for download, so covered entities can quickly get started with Morro Data. With CloudNAS simplicity, a covered entity can be up and running in days, sharing files across sites or archiving records for easy, rapid retrieval. Unlike traditional backup and archive that aggregates files into a single backup file requiring IT to retrieve the file, Morro stores each file individually with full version control, so the files can be easily accessed directly by the user.
CloudNAS makes it easy to get up and running immediately; the only hardware required is a palm-sized CacheDrive. All data can be saved to the CacheDrive using a convenient drive letter interface, and then the CacheDrive automatically syncs all files to the cloud in the background. The files can be immediately and continuously accessed by multiple users at LAN speeds, using your regular broadband connection.
When it comes to HIPAA regulations, you need partners and technology you can trust. Morro Data has the experience you need and the technology that allows your IT to maintain complete control over your PHI. And because it’s efficient and cost-effective, it fits your business model as well.
Visit morrodata.com/solutions/hipaa/ to learn how you can use Morro CloudNAS to reduce your administrative costs while maintaining HIPAA compliance.