The Office for Civil Rights just announced a $ 3 million penalty against Touchstone Medical Imaging, partly because Touchstone “failed to have business associate agreements in place with its vendors, including their IT support vendor and a third-party data center provider as required by HIPAA.”
This is the first penalty that clearly states third-party data centers are Business Associates. Third-party data centers can include co-location facilities where you store your own servers and network devices; and cloud services that allow you to configure and manage your own servers using infrastructure they own. Other cloud services provide software-as-a-service, like Microsoft Office 365, cloud-based Electronic Health Record systems, and cloud-based Voice Over IP (VOIP) phone services that record messages, record calls, and convert voice messages to emails.
Because Voice Over IP (VOIP) phone services offer voice messaging, call recording, and their support staff has access to on-premise and cloud-based systems, they are HIPAA Business Associates if messages or call recordings contain PHI.
- If you are a HIPAA Covered Entity, you should only do business with HIPAA-compliant IT support and telephone system support vendors.
- If you are a HIPAA Covered Entity, you can only do business with HIPAA-compliant data centers, cloud services, and VOIP vendors.
- Require your data center, cloud services, and phone vendors to sign Business Associate Agreements.
- Have an attorney review any vendor-supplied Business Associate Agreements to ensure the vendor isn’t using it to deny their Business Associate obligations.
- Don’t rely on a vendor’s advertising, meaningless seals of compliance, or statements like “We have lots of healthcare clients” to assume the vendor is compliant. Assess their willingness to sign a Business Associate Agreement. Demand evidence they have provided HIPAA training to their staff, have written HIPAA Policies & Procedures, have a current HIPAA Security Risk Analysis, and that they deliver HIPAA-compliant services. The best proof comes from an independent third-party assessment of the vendor’s compliance.
- The risks are in the millions of dollars if your vendor isn’t HIPAA-compliant. Protect the people you serve, your organization’s reputation and finances, and your career by being willing to switch away from non-compliant vendors.
Or, get out a blank check, make it out to the Office for Civil Rights, and be prepared to write small so you an include a lot of zero’s in your penalty amount.