notes from an admin for himself. you can read it if you want.

Entries Comments

Custom Search

HITECH BAA scramble of 2013

18 February, 2013 (16:59) | security

I decided to document the scramble for BAAs here at my company. In short anyone outside of an ISP has to give you a BAA if they handle your PHI. Today we will start with Mozy because I know they will do a BAA. Keep in mind we have until about Sept to be done. I’ll note the time spent on the phone so far with each.

Latisys – Done, BAA in hand

Latisys provides me with two Tier three datacenters and services from unmanaged to managed. They are very easy to work with on a BAA.

Mozy- contacted, 20m

2/18/2013 Chat to support today reveals a need to talk to an account manager at 877-669-9776. After 2*5 minute phone calls, some tacky foreign hold music and a voicemail prompt, I still don’t know anything. I suggested that they automate the BAA process on the support forum and documented the idea that they will be responsible for BAA/HIPAA/HITECH. If you need it, there is a post from last night. Google it.

Google Apps for Business – Assertively Denied BAA and any allusion to HIPAA compliance- 35m

2/18/2013 877-355-5787. You will need to have your customer pin ready on the Google apps console under support. I talked to a nice support guy, explained that my company requires a BAA by Sept 2013. On hold, better hold music than Mozy. After 30ish minutes on hold, the tech support guy explained that it took a while to track down the correct answer.

My paid google apps support rep said google has not ever provided a BAA, guarantee of HIPAA compliance, intent or representation of service to HIPAA compliant materials. It was funny that he kept spelling out H I P P A, H I P A, H I P A A. The guy was very nice about it, sounded like he was reading from the notes he just took for the last 30 minutes. I repeated the idea that we will have to move away from Google apps if they cannot provide a BAA. He said sorry about that but I was correct, we will need to move by the deadline. He repeated a few ideas, google has not ever claimed to be HIPAA compliant, and they will not issue a BAA.

There is a lot of misinformation out there about what google will do for  you. Notice that it does not come from Google. Mostly fanbois. My attorney and I suspected this would be the case.

Logmein –


Q9 – Done, documentation in hand for Canadian PHIPA

Q9 is a bear to negotiate with, they are incredibly expensive as well. But they get the job done.




Comment from Kashef
Time: February 20, 2013, 10:01 pm

We are starting the same investigation. Gmail provided a similar response to our request.

Comment from Keith Hoover
Time: March 14, 2013, 9:38 am

Appreciate the post, we need to do some scrambling ourselves . . . curious what alternatives to Google Apps you are considering? Office 365?

Comment from Nerd
Time: April 6, 2013, 9:46 pm

We are most likely moving to Office 365. We leave for the Microsoft Management Summit in Vegas tomorrow. Should know by the end of the week.

Write a comment