By Jack Anderson
June 18, 2013
There has always been a desire to have “HIPAA Certification” and many vendors have tried to claim that their clients were somehow “HIPAA Certified”. Unfortunately for them HHS kept saying that not only was there no one with authority to certify HIPAA compliance but that they didn’t intend to give anyone that authority. Now in this brief article we find that HHS has agreed to work with Amazon under a program called FedRAMP which was established in December 2011 to provide a streamlined process across the federal government for identifying and certifying “secure, reliable, and cost-effective cloud options.”
Now you probably notice, as did I, that there is no mention of HIPAA in this article and that references to HIPAA are solely my own. Nonetheless if I was Amazon I would be claiming that I was HIPAA compliant and HHS blessed. In the article it says “Amazon was required to undergo a third party security assessment and to receive HHS approval.” My question now is who did the third party assessment and what did HHS require out of Amazon to get their approval? Enquiring minds want to know and I shall investigate.
Here is the article: BUSINESS ASSOCIATE AGREEMENTS: MORE READILY ACCEPTED BY CLOUD SERVICE PROVIDERS? MAYBE
Although the HIPAA Omnibus Final Rule’s expansion of business associate liability could create difficulties for healthcare
providers and other covered entities seeking to negotiate business associate agreements with vendors for the storage and
maintenance of protected health information (PHI), cloud service providers (CSP) could be more receptive to such
arrangements thanks to recent developments concerning Amazon Web Services (Amazon) and its relationship with HHS.
Earlier this month, Amazon became the first CSP to achieve nonprovisional “authority to operate” status in the Federal
Risk and Management Program (FedRAMP). FedRAMP, overseen by the General Services Administration, was
established in December 2011 to provide a streamlined process across the federal government for identifying and
certifying “secure, reliable, and cost-effective cloud options.” Office of Management and Budget policy requires federal
agencies, such as HHS, to use such services as a way of effectively managing IT where feasible. Amazon provides cloud
services to HHS, including hosting of HealthData.gov. In order to achieve nonprovisional status, Amazon was required to
undergo a third party security assessment and to receive HHS approval. Now that HHS and Amazon are working
together, covered entities should find CSPs more receptive to entering into business associate agreements.
Should you have any questions regarding business associate agreements with CSPs or any other business associates,
please contact Lynn Sessions, lsessions@bakerlaw.com or 713.646.1352; or Michael R. Young, mryoung@bakerlaw.com
or 513.852.2639.