Q&A: Business associate agreements with cloud service vendors

Q. If we discover that our business associate (BA) uses a cloud service vendor for certain services, do we need to see proof that the BA has executed a BA agreement (BAA) with the cloud service vendor?

A. Covered entities (CE) are not required to ask their BAs to provide copies or proof of BAAs the BA executes with its BA subcontractors. The requirement that a BA must enter into BAAs with its subcontractors should be addressed in the BAA executed between the CE and the BA. That said, you do need to implement a third-party vendor management program where you at least periodically assess or question your critical BAs. Critical BAs would be defined as BAs who support a critical function or if the BA is storing large volumes of your PHI.

If your BA is responsible for a breach and the breach involves 500 or more individuals, you will receive an investigatory letter from OCR. If you can’t demonstrate that you’ve exercised due diligence with your BAs, you may well be found guilty of willful neglect. Such a finding could lead to civil penalties, monetary settlements, and corrective action plans. OCR has been active lately and making headlines for investigations following breaches. It’s a good idea to also read OCR’s recently released cloud security guidance. The guidance can be found at www.hhs.gov/hipaa/for-professionals/special-topics/cloud-computing/index.html.

Editor's note: This question was answered by Chris Apgar, CISSP, for Briefings on HIPAA. Apgar is president of Apgar & Associates, LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS.