Commentary on HIPAA Security and Data Hosting Agreements
The decision to enter into an arrangement to have another organization host your data will be driven by a number of factors such as: resource availability, technical considerations, location diversity, and cost. One of the factors which must be considered is the HIPAA Security Rule.
If the hosting arrangement is for backup purposes, it can be the cornerstone of your data backup, disaster recovery and contingency operations plans, which are all required to meet the Contingency plan HIPAA Security Rule safeguard (45 CFR § 164.308(a)(7)). If the hosting arrangement is for production purposes, then you will be dependent on the policies, procedures, and practices of the host facility in order to meet many of the Security Rule safeguards.
Regardless of whether the hosting arrangement is for backup or production purposes, you will need to update your security Risk Analysis (45 CFR § 164.308(a)(1)) to address the hosting arrangement. In addition, you will need to have a written agreement clearly articulating the obligations of the host facility, allocating the risks attendant to the hosting arrangement, and specifying the required insurance coverages for each party as pointed out in the Silverstone article.
Finally, if you enter into a hosting arrangement (including cloud-based), the host facility is your business associate. If the host facility refuses to sign a business associate agreement, do not use it.