" baa Archives - HIPAA News, Web & Email Security Tips & News - Plus More | LuxSci

Posts Tagged ‘baa’

What is HIPAA-Compliant Cloud Storage?

Friday, November 11th, 2016

HIPAA-compliant cloud storage complies with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to ensure the security of healthcare patients’ data stored on remote servers accessed from the internet.

HIPAA governs how healthcare providers and their business associates, as defined in the Act, can store, manage, and share personal health information (PHI). If you’re a healthcare provider (or a cloud storage provider working with a healthcare provider), it’s important to understand how HIPAA applies to cloud storage.

With the rising popularity of services like iCloud and Dropbox, many people and companies have become more comfortable with cloud storage. There’s no question these services are convenient; being able to access universally synced data anytime, anywhere, from any device, is incredible.

HIPAA-compliant cloud storage

But that doesn’t mean these services are HIPAA-compliant. HIPAA introduces particular requirements that not every cloud storage provider satisfies.

Don’t make the mistake of assuming that a particular cloud storage option will comply with HIPAA. Storing your data “in the cloud” can make it difficult to achieve the level of security required of healthcare.

Here’s what you need to know about cloud storage to make sure your data is safe and sound — and HIPAA-compliant.

Read the rest of this post »

Google Apps HIPAA Compliance Gotchas: Email encryption not included and higher price

Wednesday, October 8th, 2014

There has been a lot of hype about Google offering a Business Associate Agreement to paid Google Apps customers who must abide by HIPAA regulations.  Those who are familiar with Google may be under the incorrect assumption that simply signing up for Google Apps will solve all their HIPAA compliance challenges.  This seems to be increasingly less likely as of October, 2014.

Myths and hidden costs pervade this equation. If a HIPAA-aspiring entity isn’t fully educated about the finer details of the compliance process, they could end up paying very large amounts of money for Google services and still be non-compliant. Here we discuss some misconceptions about Google services as they apply to HIPAA to help you avoid the pitfalls of non-compliance.

Read the rest of this post »

Alert: September 22nd is the Deadline for Getting Updated HIPAA Business Associate Agreements

Wednesday, September 10th, 2014

HIPAA Omnibus went into effect a year ago and it introduced many new rules that require HIPAA Covered Entitles and Business Associates to enter into new/revised Business Associate Agreements (BAAs) with each other; agreements that properly reference Omnibus and its requirements.

All BAAs entered into before January 25, 2013 were temporarily  grandfathered in and you have until September 22nd, 2014 to enter into a revised contract.  Agreements entered into after January 25th, 2013 must already be compliant.

This is a significant reminder and warning.  Please check the date on all of your HIPAA BAAs and make sure that they are updated

Read the rest of this post »

5 Things Everyone with HIPAA Email Should be Doing

Monday, August 25th, 2014

Ok — So you have “HIPAA Compliant Email” because you just signed up with a company that says they handle that.  One thing checked off of your “to do” list and on to the next.

Well, not so fast.

HIPAA is a complex beast, as you are probably already aware.  Just signing up for a service that claims to be HIPAA compliant does not mean that you are done.  You may need to:

  1. Learn nuances of what you can and can’t do in order to remain compliant
  2. Train yourself and your staff on these nuances
  3. Make sure that you have purchased all of the things needed by your organization for your particular compliance goals
  4. Ensure that you have set things up properly with your systems and at your new vendor

Here are some of the top things that everyone who has HIPAA-compliant email really should be doing:

Read the rest of this post »

Gmail and Google Apps: Not Really HIPAA Compliant Email

Wednesday, July 24th, 2013

We are frequently approached by customers in need of HIPAA compliant email who are currently using Gmail or Google Apps, or who have users that are familiar with and like these services.   They would, of course, like to add HIPAA compliance without changing any of their business processes or habits.

For example, some customers may want to setup HIPAA compliant email with LuxSci and have those secure messages forwarded to Gmail, where they can access them in their “usual way”.  In general, this is a bad idea — this will almost always be non-compliant and leave them at significant risk for breaches, disclosure, and HIPAA liability.

No one who must abide by HIPAA should be accessing ePHI though Gmail or Google Apps.

Revision Note: This is not strictly true anymore (as of September, 2013)  as Google Apps now can afford customers some level of HIPAA compliance.  We have a new post on this topic that is more relevant than this older one.  See: Google Apps HIPAA Compliance Gotchas: Email encryption not included and higher price.

The remainder of this blog post is still has some relevance, so read it in the context that it was written before Google started offering Business Associate Agreements to paid Google Apps accounts.


Read the rest of this post »

Is Blackberry HIPAA Compliant? What You Need To Know

Tuesday, July 13th, 2010

We are often approached by customers wanting to use their blackberry mobile devices to send and receive email that may contain electronic Protected Health Information (ePHI).  Such customers, when they must abide by the HIPAA and HITECH laws governing medical privacy, must comply with a long set of regulations that covers, among other things, how ePHI may be transmitted over the Internet.

This article deals with the security of sending and receiving email on a Blackberry configured for Internet email services (i.e. it does not apply to those connecting to an Blackberry Enterprise Server and Exchange).

Read the rest of this post »

HIPAA HITECH Business Associate Agreement and LuxSci Account Requirements

Saturday, January 30th, 2010

Changes to HIPAA as a result of HITECH provisions in the American Recovery and Reinvestment Act are going into effect on February 17, 2010.  These changes seriously impact the requirements on Business Associates and impose significant liability penalties on HIPAA violations.  For a discussion of these and how they relate to email and web services, see: HITECH 2010: HITECH Impact on Email and Web Outsourcing.

In response to these changes and to ensure that both LuxSci and its HIPAA customers are HIPAA-compliant:

  • Old BAA Void: All Business Associate Agreements (BAA), formerly known as Medical Privacy Agreements, that current LuxSci customers have by virtue of the old BAA being incorporated automatically in LuxSci’s Master Services Agreement are VOID as of February 17th, 2010.
  • New BAA Required: Any LuxSci Customer who is using or plans to use LuxSci for ePHI (electronic protected health information) of any kind (i.e. email, web sites, WebAides, databases, etc) must explicitly sign our new BAA and ARA (Account Restrictions Agreement) before LuxSci will consider itself a Business Associate and the customer’s LuxSci account HIPAA compliant.

LuxSci will be contacting customers that it believes might need to sign a BAA and ARA during the month of February.  However, as LuxSci does not know which customers are using their account(s) for storage or transmission of ePHI, it is up to our customers to contact LuxSci to establish a BAA.


Read the rest of this post »