As we mentioned here and here, the HIPAA Omnibus Rule has a significant impact on HIPAA Business Associates. There is some debate over exactly who is a Business Associate regarding Cloud Providers. One thing that seems clear is, if you are storing protected health information (PHI) unencrypted at a Cloud Provider, the Cloud Provider most likely is a Business Associate. This could have a profound effect on Covered Entities (CE) especially smaller CEs.
Cloud Based Email
Many smaller CEs are still using Google (Gmail), or Yahoo or AOL for their email. And one thing is clear, CEs use email to communicate about patients. Physicians may ask about test results of patients, Physician Assistants may communicate patient conversations to other CE members, billing staff may share patient account status, etc. Each of these examples most likely involves the sending of PHI via email.
If the CE is using Cloud Providers such as Google, Yahoo or AOL and they are sending PHI, then the Cloud Provider would be considered a HIPAA Business Associate. As a Business Associate, each of the Cloud Providers would be required to sign a HIPAA Business Associate Agreement (BAA) with the CE. None of the previously mentioned (Google, Yahoo or AOL) Cloud Providers is willing to sign a BAA with a CE. That would make using these services to send and store PHI a HIPAA violation. Keep in mind, even if the CE is not sending PHI to a patient but just using a Cloud Provider email service, the CE would be in violation of the HIPAA Security Rule for not having a BAA with the Cloud Provider.
Microsoft Office 365
Microsoft Office 365 is a cloud solution that provides email, instant messaging, calendaring, file and data storage, etc. Microsoft is willing to sign a BAA with a CE that uses the Microsoft Office 365 platform. Microsoft seems to be the only large Cloud Provider that is willing to sign a BAA. With full Exchange email online starting at $4/month per user, it is a very affordable HIPAA compliant solution for CEs. Add the benefits of Lync instant messaging (IM) for quick conversations, screen sharing and even voice calling for an additional $2/month per user and you have a very affordable, robust HIPAA compliant communication platform.
Microsoft has built a very affordable, HIPAA compliant cloud service and is clearly aiming at CEs of all sizes. It will be interesting to see how Google, Yahoo and AOL respond. How long Microsoft enjoys the only HIPAA compliant cloud service niche is still left to be seen.
For more information on Microsoft Office 365 and other HIPAA compliant cloud solutions including email encryption, laptop and smartphone encryption, offsite data backup, disaster recovery and network security monitoring, check out our HIPAA Technology Suite.