March 5th, 2013

LuxSci has Explicit HIPAA Agreements with Vendors – including McAfee

The HIPAA Ombibus rules are on everyone’s mind as they scramble to bolster their HIPAA compliance before it’s too late.  Among many other things, like stricter enforcement and breach notification rules, the Omnibus rules finally extend the requirements for HIPAA compliance to all of a Covered Entity’s Business Associates, and to all of the vendors that those companies use, etc., all the way across to anyone who could possibly come into contact with ePHI … even if they otherwise might not even know it!

As a result, affected organizations must ensure that they have HIPAA Business Associate Agreements in place with all vendors which interact with their ePHI … and they need to check to be sure that these vendors are doing the right thing as well — BAA contracts with their own vendors.

Why?  As HIPAA is evolving, so are the requirements imposed by HIPAA, and thus so does the landscape of trust.  Many vendors who claim to enable compliance have never had to reflect on whether their own vendors were also compliant, let alone require agreements with them. Now, that is essential.

LuxSci and its Vendors

LuxSci works hard to keep up with the shifting and coalescing HIPAA landscape.  We have had Business Associate agreements in place with our Data Center provider, Rackspace, and our partner for MobileSync mobile device synchronization, Nuevasync, for several years.

One other vendor of ours that comes into contact with customer ePHI is McAfee, our partner for Premium Email Archival and Filtering.  For a long time, we have not had an explicit BAA with them; instead we have had a statement from their legal department on how their services are not subject to HIPAA as they are merely a conduit for email and because their staff never comes into direct contact with it, except on an incidental basis.  This is true to some extent, but a bit thin, especially when you consider Email Archival.  However, prior to the Ombibus rule, there was enough grey area in HIPAA that this stance could perhaps slide …  maybe.  Still, we were not satisfied and have been pushing on McAfee for a real HIPAA BAA for some time.

Finally, with the Ombibus rule here, and compliance deadlines swiftly approaching, and with LuxSci constantly reminding them, McAfee has finally seen the necessity to take HIPAA very seriously and to put compliance agreements into effect — they are a security company after all.  Their only other choice would have been to stop selling to the medical segment and to lose partners like LuxSci.

LuxSci has just signed its Business Associate Agreement with McAfee, making it the first McAfee vendor to have such a BAA with them for the sale of services to customers requiring HIPAA compliance.

Other vendors have followed suit, now that the onus is clearly on them to provide BAAs or lose customers.  As a result, LuxSci has also been able to secure HIPAA Business Associate Agreements with Rackspace for its “Public Cloud” services and with for all of the “Amazon Web Services” cloud offerings.  These will be allowing LuxSci to expand its services and infrastructure in a HIPAA compliant manner.

HIPAA customers of LuxSci have Business Associate Agreements with us, and we have Business Associate Agreements with all of our vendors that may come into contact with your ePHI — Rackspace, Nuevasync, and now McAfee and Amaozn.   We encourage you to check with your other vendors to make sure that they are also taking the right steps for compliance.

Leave a Comment

You must be connected or logged in to post a comment. This is to reduce spam comments.

If you have not previously commented, you can connect using existing social media account, or register with a new username and password.