The monthly OCR Cyber Newsletter for June had some interesting points.  The fact that OCR mentions multiple times and in multiple ways that they do not endorse, certify, or recommend specific technology or products should serve as their “OCR mic drop moment” on this discussion.  We can dream, can’t we!  Today we are going to review that newsletter and how they have pointed these things out once again.

Before we close out the episode we are also covering some questions and comments from listeners.  Hang around for those just after the 30-minute mark.

HIPAA For MSPs by David Sims OCR Cyber Newsletter: Mic Drop For Cloud Providers
00:00:00 00:00:00

Today’s topic

OCR Cyber Newsletter: Cloud Computing BAs

June OCR Cyber Newsletter

Here it is in black and white.   Well, at least in the June OCR Cyber Newsletter maybe not black and white so much.  This newsletter covers one thing for certain.  Cloud providers are Business Associates, period.  The OCR mic drop moment may finally keep people from finding ways to argue that they are not required to meet HIPAA requirements even though they are a BA.  There are several points in the newsletter where they make a point of driving it home.

The CSP lacking an encryption key to the ePHI does not exempt the CSP from business associate status and its obligations under the HIPAA Rules.


OCR Cyber Newsletter

OCR does not endorse, certify, or recommend specific technology or products.







In addition to a BAA, a Service Level Agreement (SLA) is commonly used to address more specific business expectations between the CSP and its customer (the covered entity or business associate). SLAs, consistent with the BAA, may address HIPAA concerns such as:


  • System availability and reliability
  • Back-up and data recovery
  • Manner in which data will be returned to the customer after service termination
  • Security responsibility
  • Use, retention and disclosure limitations

It is important to note that OCR also does not endorse or otherwise recognize private organizations’ “certifications” regarding HIPAA compliance, and covered entities and business associates should ensure their own compliance with the HIPAA Rules.

 Sign up for the monthly OCR newsletters by subscribing to the OCR Security Listserve. 


Listener Survey Responses

Thanks to those who have been kind enough to take the Listener Survey. We do read through them and appreciate it very much.


As questions have come in on the survey we have been trying to blend those into the episodes as we go. We have a couple more that came in recently.

What are the characteristics of a good HIPAA Privacy Officer?

Both a security and privacy officer need to be willing to spend time getting to know what HIPAA actually says. Part of that is being very involved in the development and implementation of policies and procedures. There is a lot of minutiae involved in HIPAA but within the Privacy Rule more than any other.

A good Privacy Officer will be passionate about protecting PHI and understand why that matters to the patient, the business, and the staff. That passion will be needed to drive them to find new ways to educate and involve the workforce because that is the primary control you have under the Privacy Rule.

They will also be somewhat of a policy wonk who is willing to dive into the bushes when any question, situation, or incident occurs. It takes time and patience to sort through many of the privacy quandaries that occur.

They will be meticulous in documenting the when, what, how and why of their day to day work. After all, without documentation, it didn’t happen.

Finally, they will need to be confident enough to make a decision and provide guidance to the “power structure” of the organization. They may not want to hear what you tell them but you to be able to stand in there and confidently tell them the parts they need to know to make decisions without bogging them down in the details. This is probably the hardest part of the job.

As a BAA, how can we best showcase our compliance program to clients and auditors?

I’m pretty sure you did what most people do and said BAA when you mean BA. Everyone does it, even us, but I do try to point it out just in case there is someone out there that honestly doesn’t know the difference. The BAA (Business Associate Agreement) is the legal contractual agreement between two entities where at least one of them is a BA (Business Associate) under HIPAA.

Now, to your question, how can you showcase compliance to clients and auditors.

When it comes to sales I believe you should use something similar to our BADD questionnaire in a sales form. Provide each prospect with how serious you are about HIPAA compliance as part of the sales process.

Also, provide them with your BAA for their review early in the negotiation process, not as a final step. Explain to them that to make sure we all have compliance covered from the beginning, it is best to start that review as soon as you are negotiating. If you have it nailed down by the time you sign the deal it makes things so much smoother for everyone.

In fact, in our recommended system for managing BAs, we suggest that be done up front. That way, the compliance people have time to confirm conditions and get pulled into the process while questions are being asked.

Another way to showcase your program is to live it in your office every day. The thing we have discussed many times is to have reminders, like posters or maybe workforce members featured on the walls for compliance jobs well done.

One company we work with has a big bulletin board where people can post notes about something a co-worker does sort of like an “at a boy” for each other as well as management. There are many sections of the board but one of them is a section on Compliance.

When you bring a prospect or auditor to your site and you see those kinds of things around the office you know there is a culture of compliance throughout the organization which is the objective.


There have been some great comments and ideas posted. Here are a few of the quick ones:

Keep up the excellent work!
Donna and Karla are the best!
If there were pictures of Donna wearing her Chicken Hat I would feel better!


There were others with some specific points and suggestions that were very interesting and appreciated. There have been a few different suggestions that basically wanted some more technical details and deeper dives into security topics. That one is a tough one for us. We get feedback that says it is too technical while others say it is not technical which is what they appreciate about it. Two out of three don’t want the technical details and we are learning how diverse our listener base really is across the spectrum of technical and non-technical types.

For those of you who want to get into more technical discussions, we certainly have mechanisms for those discussions over at Here on the podcast, we are trying to touch on more tech topics but without going too deep in the nerdisphere. And we will continue to try and find that perfect balance to meet the needs of our diverse listeners.

Finally, we had one suggestion asking us to make our episodes about 20 minutes long. I certainly understand the point from this listener who is trying to consume multiple podcasts per day. We are making an effort to move along to the topic quicker than we had been doing.

We have struggled with this particular topic since the very beginning – just how long do we make an episode. We knew we didn’t want it to be a one or two-hour thing that some podcast do in their episodes. However, our topics are so dry and complex when we just did the facts and nothing but the facts it wasn’t going to make a show that could reach the diverse audience we have now.

As an alternative, we have heard from some listeners who use a player that has a speed up option and they listen to us on high speed. I have not tried that yet but they claim it makes it fun.

We will continue to evaluate what we are doing and find ways to strike the balance on our timing.

##Listener Emails

Thank you for “What is MDM and why do I want it?” (Episode 110) I would like to recommend that if a business is a Microsoft Office 365 Small Business or Enterprise customer, check Microsoft Intune. The starting price is $6 per user per month for basically unlimited devices, and it can manage IOS, Android, OS X, and Windows devices. Although VMWare Airwatch Express is $2.50 per device per month, it can add up. So a per user pricing could be advantageous for medical practices with multiple devices to manage. –George

We doubt that an end to the BA and cloud “confusion” will happen but we can try to use this OCR mic drop as another chance to explain.  Yes, cloud providers must do their own compliance just as any other BA because they are a BA.  Hiring a cloud provider that does HIPAA doesn’t make you suddenly done with HIPAA compliance requirements it just gives you another tool to help.