Cerner, now part of Oracle Health, offers a wide range of cloud and enterprise software solutions, including infrastructure, databases, and applications for managing business operations, data, and analytics.
Is Cerner HIPAA compliant? Yes, Cerner can be HIPAA compliant when customers sign a business associate agreement BAA and configure their services accordingly.
Yes, Cerner will sign a business associate agreement.
The Cerner BAA covers the use and disclosure of protected health information (PHI) when Cerner services are used under the agreement. The terms state:
"Cerner shall not Use or Disclose PHI other than as permitted or required by the Agreement, this BAA, or as Required By Law."
Their BAA covers:
Cerner specifies limitations in its BAA. The agreement notes that Cerner will only handle PHI as necessary to perform contracted services and is not responsible for a customer’s internal misconfigurations or misuse. The BAA states:
"Cerner shall not be responsible for compliance with HIPAA or the HIPAA Rules by Customer, except as expressly provided in this BAA."
This means the customer is ultimately responsible for using Cerner services in a HIPAA-compliant manner.
Cerner signs a BAA and can therefore be HIPAA compliant. However, compliance depends on customers configuring and using Cerner services correctly, since Cerner shifts responsibility for HIPAA compliance outside its covered obligations.
Learn more: HIPAA Compliant Email: The Definitive Guide
A business associate agreement (BAA) is a legally binding contract establishing a relationship between a covered entity under the Health Insurance Portability and Accountability Act (HIPAA) and its business associates. The purpose of this agreement is to ensure the proper protection of personal health information (PHI) as required by HIPAA regulations.
HIPAA is designed to protect the privacy and security of individuals’ health information and to ensure that healthcare providers and insurers can securely exchange electronic health information. Violations of HIPAA can result in significant fines and penalties for covered entities.
HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.