Well, it took long enough. Google Cloud Platform service has finally publicly announced they will willingly enter into Business Associate Agreements (“BAA’s”) with “Covered Entities” regarding use of Google Cloud services and Protected Health Information (“PHI”). Google’s announcement comes nearly five months the after Sept 23, 2013 effective date for compliance with the HIPAA/HITECH Omnibus Final Rule enacted last January (the “Final Rules”).
Prior to the Final Rules, Business Associates were not, in the absence of a BAA, directly liable to either Covered Entities or HHS (per its Office of Civil Rights (“OCR”), which enforces the HIPAA Privacy and Security Rules). Per the Final Rules, however, BA’s are now directly liable to OCR for compliance with certain HIPAA Privacy and Security Rules’ requirements. Failure to comply can result in both significant civil and criminal penalties, regardless of whether BA’s enter into BAA’s with CE’s or with other BA’s – see below).
As a result, while Google’s announcement merely catches up to the Final Rules’ requirements and realty — though to be fair they did start BAA’s last year for Google Apps allowing developers to build HIPAA-compliant apps — the important takeaway is that BA’s since last September are directly liable to the OCR for violations of HIPAA/HITECH requirements. And that chains of CE’s to BA to BA are common – and sometimes unexpected because “Business Associates” are broadly defined, per 45 CFR 160.103(a) as:
“a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information. A ‘business associate’ also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate.”
HIPAA rules generally require that Covered Entities and Business Associates enter into contracts – the common “Business Associates Agreements” – with their own business associates to ensure appropriate safeguarding of “protected health information” and to limit use or disclosure of PHI only as permitted or required by the BAA or as required by law.
As those subject to HIPAA/HITECH know, the various rules, requirements, disclosures and mandated items required in BAA’s are extensive and convoluted. For example, this past week on the American Bar Association’s SciTech “information security” listserv, which we follow and participate in, an extensive discussion about the HIPAA’s requirement for cloud providers and others place. An extensive back and forth began about HIPAA’s “conduit exception,” which received extensive treatment in the Final Rules discussion section where HHS noted “entities that act as mere conduits for the transport of protected health information but do not access the information other than on a random or infrequent basis are not business associates.” Regarding what random or an infrequent basis means, though, is fact specific “based on the nature of the services provided and the extent to which the entity needs access to protected health information to perform the service for the covered entity. The conduit exception is a narrow one ….”
To discuss your BAA, HIPAA/HITECH or Final Rules requirements or specifics, feel free to give us a call at 203 307-2655 or send us an email at info@SmartedgeLawGroup.com.