The U.S. Department of Health and Human Services recognized as far back as 1996 when the original regulation was drafted, that medical facilities often rely on outside organizations to manage important processes and data. That’s why when the regulation was published in 2002 the guidelines called for business partners and associates, which includes cloud and managed service providers, to own more of the compliance burden. The Omnibus rules of 2013 increased the stringency of the HIPAA requirements as well as the potential fines of business associates which were raised to $1.5 million per year.
The 2013 Omnibus update to the HIPAA regulations requires that any business partner that offers or claims compliance must include a Business Associate Agreement as a standard part of its service agreement. According to U.S. HHS, a BA must include the following ten provisions:
- Establish permitted and required access and usage to PHI (protected health info)
- Provide that the associate will not disclose PHI other than as permitted or required in the agreement scope
- Require the business associate to implement safeguards to prevent unauthorized use or disclosure
- Require reporting by the business associate of any unauthorized or inadvertent disclosure, including security breaches
- Provide allowances for the business associate to disclose PHI where necessary to fulfill the client entity’s obligation
- Require the business associate to be bound by the same disclosure rules as the entity
- Require the business associate to submit to HHS audit of its practices and procedures
- Require the business associate to return or destroy all PHI at the termination of the contract
- Require assurance that all subcontractors of the business associate comply with the same restrictions
- Authorize contract termination if the business entity violates any portion of the agreement
The Dynamics partner that you work with needs to be a true HIPAA hosting partner able to meet all of the requirements of HIPAA regulations. The first question you should ask is if they have a standard BA that includes the ten steps outlined above. Your Dynamics hosting partner needs to go above the minimum requirement to demonstrate that they have implemented comprehensive policies and procedures specifically tailored for HIPAA. Safeguards against subcontractors accessing protected data, semi-annual audits and tight controls in the data center are all important factors.
OneNeck IT Solutions, Dynamics AX and HIPAA Compliance
OneNeck IT Solutions has expertise in managing Dynamics AX environments bound by HIPAA regulations. We understand the HIPAA compliance rules as well as the needs of our clients to maintain those standards. The team at OneNeck undergoes extensive training on the regulations, policies, and procedures needed to protect PHI from unwanted disclosure. Our focus is to reduce the time and costs associated with meeting HIPAA compliance by improving the reporting, auditing and documentation processes. With OneNeck, there is no reason for any healthcare organization to forego the benefits of hosting their Dynamics AX solution in the cloud.
OneNeck IT Solutions has expertise with Microsoft Dynamics AX and in building, deploying, and managing cloud solutions. ReliaCloud®, OneNeck’s private cloud platform provides scale, flexibility and security to free up your strategic resources while effectively reducing risk. With eight data centers, OneNeck can grow with your business as your needs change and ensure your IT system is operating at peak efficiency. Whether you are looking for colocation, managed services or to move your entire infrastructure to the cloud, One Neck can help you understand the best solutions for your Microsoft Dynamics AX needs. For a free evaluation of your Microsoft Dynamics AX requirements, contact OneNeck today.