Cloud Provider Need to Comply With New HIPAA Privacy, Security, Enforcement and Breach Rules

By Florence de Borja On January 24, 2013 · 1 Comment

The last changes to the HIPAA Privacy, Security, Enforcement and Breach Rules had recently been released. Such rules were first implemented the summer of 2012. It also contains how cloud computing providers are to be treated by the healthcare industry. According to the HIPAA standard, the cloud vendors are business associates and as business associates they are expected to be the first ones to comply with the final modifications to the HIPAA rules.

According to the 563-word document, any cloud computing provider which has access to qualified health information is a business associate. Therefore, the document also defined a business associate as somebody who “creates, receives, maintains, or transmits” any private health information. A cloud computing firm which aims to be a business associate of a healthcare organization must commit to a business associate agreement.

The cloud provider must also comply with the Breach Notification Rule. Both the cloud computing firm and the healthcare company are both liable for any violations against the HIPAA rules. The covered healthcare company is also directly responsible for every action of its cloud computing provider. Therefore, a healthcare organization must exercise due care in choosing its cloud provider. The cloud computing service provider must also agree to yearly HIPAA audits and that its staff must be trained on cloud data security. Policies and procedures of the cloud provider must also be in accordance with the HIPAA security guidelines.

According to Chief Privacy Officer Joy Pritts of the Office of the National Coordinator for Health IT, it is very clear that health information will soon be moved to the clouds, especially for the health data of smaller healthcare firms which move their health records to the clouds to cut costs. With the new HIPAA rules, all cloud computing providers must ensure that patient data is protected. Patient data encryption is a must under the modified HIPAA standard.

FrankM

I think you should read the new rules a bit more closely. As a service provider who handles CE’s, unless the provider, who is actually a conduit of the electronic data transmission and is not required to have routine access to PHI, is not considered a business associate (BA). The key point here is, “routine access”.

The final rule adopts the language that expressly designates as business associates: (1) A Health Information Organization, E-prescribing Gateway, or other person that provides data
transmission services with respect to protected health information to a covered entity and that requires routine access to such protected health information; and (2) a person who offers a personal health record to one or more individuals on behalf of a covered
entity.