HITECH BAA scramble of 2013 -Google the first to say no.
My job is on the line when it comes to HIPAA, HITECH, PHIPA, FISMA and PCI. I don’t armchair quarterback these subjects and have little patience for people who do. I work closely with a technical attorney in order to determine what is right for my business and the workers who depend on us to keep our business alive. Now then…
I decided to document the scramble for Business Associate Agreements (BAAs) here at my company. In short anyone outside of an ISP has to give you a BAA if they handle your PHI. Today we will start with Mozy because I know they will do a BAA. Keep in mind we have until about Sept to be done. I’ll note the time spent on the phone so far with each.
Quick list here, followed by details of how to handle a few:
Latisys – Tier 3 datacenter- YES
Mozy Pro – Backups – YES
Google Apps – Yes, but many limitations and risk points
Logmein – NO
Microsoft Office 365 – YES
Microsoft Azure – YES
Q9 – Yes
Salesforce – Yes
Latisys – Done, BAA in hand
Latisys provides me with two Tier three datacenters and services from unmanaged to managed. They are very easy to work with on a BAA.
Mozy- contacted, a few hours so far
6/10/2014 – Talked to a rep at the same number below today. They will now do a BAA. On old accounts they might have to start your account over and move everything. Sounds like that takes 15 min, but I’ll let you know.
2/18/2013 Chat to support today reveals a need to talk to an account manager at 877-669-9776. After 4*5 minute phone calls, some tacky foreign hold music and a voicemail prompt, I still don’t know anything. I wish I could leave a message, their voicemail is full. Sounds like a digium system with default messages for error notification. I may need to move to someone like
I suggested that they automate the BAA process on the support forum and documented the idea that they will be responsible for BAA/HIPAA/HITECH. If you need it, there is a post from last night. Google it.
Google Apps for Business – Assertively Denied BAA and any allusion to HIPAA compliance- 35m
10/2013- Google now offers a BAA, it is pretty weak. You can only use core services so get ready to start turning stuff off in order to comply with the terms. I am trying to get permission from my attorney to publish his issues with the actual BAA. We are not happy with it so we are moving to Office365. They do everything up to FISMA.
2/18/2013 877-355-5787. You will need to have your customer pin ready on the Google apps console under support. I talked to a nice support guy, explained that my company requires a BAA by Sept 2013. On hold, better hold music than Mozy. After 30ish minutes on hold, the tech support guy explained that it took a while to track down the correct answer.
My paid google apps support rep said google has not ever provided a BAA, guarantee of HIPAA compliance, intent or representation of service to HIPAA compliant materials. It was funny that he kept spelling out H I P P A, H I P A, H I P A A. The guy was very nice about it, sounded like he was reading from the notes he just took for the last 30 minutes. I repeated the idea that we will have to move away from Google apps if they cannot provide a BAA. He said sorry about that but I was correct, we will need to move by the deadline. He repeated a few ideas, google has not ever claimed to be HIPAA compliant, and they will not issue a BAA.
There is a lot of misinformation out there about what google will do for you. Notice that it does not come from Google. Mostly fanbois. My attorney and I suspected this would be the case.
Logmein – No
I was pretty hopeful, ended up talking to our logmein support 2 times as well as sales 1 time. They will give you a copy of the standard EULA and send you packing.
Alternative – bomgar, remote desktop, vpro
Q9 – Done, documentation in hand for Canadian PHIPA, PIPEDA
Q9 is a bear to negotiate with and they are incredibly expensive. They get the job done well. q9 is very strict about proper procedure and we have learned to appreciate their attention to detail over the years.
Apple iCloud – No
Just talked to our local Apple rep. She is working on finding out if Apple will give us a BAA for any service they provide. Right now it is looking like no.