I decided to document the scramble for BAAs here at my company. In short anyone outside of an ISP has to give you a BAA if they handle your PHI. Today we will start with Mozy because I know they will do a BAA. Keep in mind we have until about Sept to be done. I’ll note the time spent on the phone so far with each.
Latisys – Done, BAA in hand
Latisys provides me with two Tier three datacenters and services from unmanaged to managed. They are very easy to work with on a BAA.
Mozy- contacted, 20m
2/18/2013 Chat to support today reveals a need to talk to an account manager at 877-669-9776. After 2*5 minute phone calls, some tacky foreign hold music and a voicemail prompt, I still don’t know anything. I suggested that they automate the BAA process on the support forum and documented the idea that they will be responsible for BAA/HIPAA/HITECH. If you need it, there is a post from last night. Google it.
Google Apps for Business – Assertively Denied BAA and any allusion to HIPAA compliance- 35m
2/18/2013 877-355-5787. You will need to have your customer pin ready on the Google apps console under support. I talked to a nice support guy, explained that my company requires a BAA by Sept 2013. On hold, better hold music than Mozy. After 30ish minutes on hold, the tech support guy explained that it took a while to track down the correct answer.
My paid google apps support rep said google has not ever provided a BAA, guarantee of HIPAA compliance, intent or representation of service to HIPAA compliant materials. It was funny that he kept spelling out H I P P A, H I P A, H I P A A. The guy was very nice about it, sounded like he was reading from the notes he just took for the last 30 minutes. I repeated the idea that we will have to move away from Google apps if they cannot provide a BAA. He said sorry about that but I was correct, we will need to move by the deadline. He repeated a few ideas, google has not ever claimed to be HIPAA compliant, and they will not issue a BAA.
There is a lot of misinformation out there about what google will do for you. Notice that it does not come from Google. Mostly fanbois. My attorney and I suspected this would be the case.
Q9 – Done, documentation in hand for Canadian PHIPA
Q9 is a bear to negotiate with, they are incredibly expensive as well. But they get the job done.