Sep 16, 2014
Are You Ready for the Next HIPAA Deadline?
Datto Partners and MSPs: Be Sure to Sign Your Healthcare-Related Clients BAAs to Comply with HIPAA Omnibus Rule by September 22
Datto wants to remind you that if you serve healthcare-related clients such as hospitals, doctor practices, or dentist offices, by September 22, 2014 you need to have an updated Business Associate Agreement (BAA) with your healthcare clients that details your obligations to protect any client data that is medically related to individuals. This type of data is known as electronic Protected Health Information or ePHI and is regulated under the federal Health Information Portability and Accountability Act (HIPAA). Please note that HIPAA liability attaches immediately when a business associate (MSP) receives, creates, maintains or transmits ePHI on behalf of the covered entity.
The U.S. Department of Health and Human Services (“HHS”) has posted sample BAA provisions on its website. To access these provisions, click here. Note that these provisions are only samples provided by HHS for guidance. For advice specific to individual circumstances, you should contact an experienced health law attorney.
With more significant penalties flowing from HIPAA violations, properly identifying business associates for the purposes of securing new agreements has become paramount.
Your client (hospital, doctor practice or other healthcare provider) should provide the BAA for you to sign. Most BAAs have similar language and will cover:
- Permitted uses and disclosures of client data.
- Administrative, physical and technical safeguards you must have if you handle ePHI. This includes any breach notification requirements if, as a Managed Service Provider, you cause a breach of client data during handling or processing.
- Termination requirements.
How does Datto fit into the picture?
Since the new HIPAA rules also specifically define cloud service providers (CSPs) as business associates, Datto, as a storage cloud service provider, is by extension also a business associate of your client. Datto has a standard, compliant BAA that it is willing to sign to cover this extended chain of responsibility. If you serve any healthcare-related clients we also urge you to seek a BAA agreement from Datto. This will benefit both you and your end-user client by complying with the law.
We recognize that, this requirement may not be well understood by some Datto partners. So if you have any questions surrounding this topic please contact us.
Additional Datto resources on HIPAA and Compliance include:
Whitepaper: 5 Cornerstones of HIPAA Compliance
Guidebook: HIPAA Compliance Guide