Bradley attorney Amy Leopard was quoted in AIS’s Health Business Daily on the new guidance on the use of cloud service providers
(CSPs) issued last month by the Office for Civil Rights (OCR). Leopard was invited to speak at the OCR’s annual security meeting, “Safeguarding Health Information: Building Assurance through HIPAA Security,” held October 19, 2016, in Washington, D.C.
Leopard says the guidance is valuable for addressing “this whole continuum of issues,” including “specifying the level of security” that may be required based on the amount and type of protected health information entrusted to the CSP. But, she says, “the big contribution of the guidance was the notion that OCR expects us to go get service level agreements on the important things.” Perhaps as a result of the guidance, such agreements are “now going to be baked into the process.” These agreements need to address “the availability, the backup plan [and] disaster recovery [and] the time frame” for these, Leopard said.
OCR, explains Leopard, is “setting the bar higher by specifically stating that CEs need to be addressing [such issues] through specifically negotiated security provisions. That’s a big thing.”
The complete article, “Not Everything Is Worth the Risk: Implementing the Cloud Guidance,” appeared in Health Business Daily on November 15, 2016. (login required)