Migrating to a Cloud Service: Is your BAA in place?

In a recent LinkedIn discussion between colleagues in our HIPAA Survival Guide group, a member posed an interesting question that probably doesn’t usually garner much attention in the general scheme of things when upgrading technology: If a company is a HIPAA Covered Entity and is migrating to Microsoft Office 365 (which is a cloud-based solution) what steps need to happen for a Business Associate Agreement (BAA) to be “official”?

As you can imagine, the question generated a flurry of activity and thoughts on the matter. Many of our members posited excellent sample and situational scenarios to help out.

My general response simply took Apgar and Associates’ own recent migration into account. We entered into a BA relationship with Microsoft as our BA subcontractor. (Microsoft, as you’d expect, has its own FAQ about HIPAA and HITECH.)

Here’s a tip: e-sign the “optional” BAA that Microsoft provides. Because if you don’t e-sign the BAA, Microsoft is not bound by the terms.

Now, there are two ways to get a signed BAA from Microsoft.

1.     You bulk license Office 365 from Microsoft. Signing would be a part of the licensing.

2.     For non-bulk purchases, you e-sign on Microsoft’s web site. There is a link in the FAQ to the contract addendum.

As far as HIPAA security goes, Microsoft claims compliance. There’s a lot of information out there documenting said compliance, but it doesn’t hurt to check out the documentation to make sure you’re comfortable with any risks associated with dealing with Microsoft.

A follow on question asked, “Does the absence of a signed BAA absolve the BA of liability?”

Generally speaking, I tend to agree that the absence of a signed BAA doesn’t completely absolve the BA of liability should privacy be breached. However, if you are a health care entity and will be using Microsoft’s servers to store PHI, then as a responsible CE (or BA), you need to notify Microsoft of that fact. This is no different than how you would handle a relationship with any cloud vendor. If customers, law firms, for instance, sign up for services, and one law firm is a BAA and another is not, the cloud vendor can’t assume the law firm is a BA and therefore, the cloud vendor is a BA subcontractor.

Cloud vendors who store PHI are BAs but they need some clue that they are storing PHI. When it comes to cloud services, PHI and BAAs, it’s not always as clear-cut a situation as we’d prefer. We do ourselves and our data a disservice if we don’t take the extra effort to assure everyone is informed and the proper, signed agreements in place.

Chris Apgar, CISSP, CEO, is a frequent educator and panelist for OMA, HCCA and other industry-leading organizations. Chris is also available as an expert witness and columnist. For all of your privacy and security compliance consulting needs, call the HIPAA experts at Apgar & Associates: 877-376-1981.