Ensuring Healthcare Privacy in the Cloud, Before the HIPAA Fines Hit

by Milton Chen, Business News Daily  |  published on March 18, 2013


The Health Insurance Portability and Accountability Act (HIPAA) Final Rule is going into effect in two weeks on Mar. 26, 2013. Health care entities and associated businesses will have six months (until Sept. 23) to fall in line with updated rules or face new penalties of up to $1.5 million per violation.

While the new HIPAA changes may not be dramatic, they are significant. They bring all associated businesses under HIPAA regulation, strengthen privacy protections already in place under the Health Information Technology for Economic and Clinical Health (HITECH) and Genetic Information Nondiscrimination Act (GINA) laws, and give the enforcing agency (the Office of Civil Rights) more teeth to expedite audits and fines.

If you’re a health care entity or business associate who uses Skype, Google, Cisco/WebEx or plan to use cloud services, here are some ways the new rules may affect you.

Make sure the tools you use are not the weakest link

The updated HIPAA Rule now makes all businesses directly responsible for handling protected health information (PHI). This means all associated businesses, sub-contractors, and anyone else down the line – whether or not they are directly contracted by a health entity. For example, if a business associate uses Google Apps to maintain health information, then Google would also be liable by default and would need to sign a business associate agreement (BAA). (On a side note, Google is highly unlikely to enter such an agreement since Google’s business model is driven by collecting individualized data to sell advertising. See their recent privacy fines.)

The only exempt cases are businesses that only act as a temporary channel for transmitting PHI. Even though they may have random access to such records, they do not maintain them. This includes services such as the U.S. Postal Service, Internet Service Providers, mobile network operators, some Voice-over-IP and video-conferencing services that don’t store recorded sessions.

Cloud computing tradeoff: simplicity vs. security

The bigger problem, as suggested in a Health Informatics interview with Mac McMillan, chair of the Privacy and Security Policy Task Force of the Healthcare Information and Management Systems Society, is that many health care entities don’t know, “where your data is created, where it’s stored, where it’s going in terms of where it’s being sent, etc.,” and they don’t really know how their management and communication tools work, so how can they even begin to assess their security risks? Furthermore, as hospitals move data out into the cloud to take advantage of flexibility and cost savings, they will have even less control over security.

No comments yet - you can be the first!

Comments are closed.

Do you Love your country but hate your government?

Join your fellow Libertarians who seek a world of liberty; a world in which all individuals are sovereign over their own lives and no one is forced to sacrifice his or her values for the benefit of others. Join over 500,000 Americans who get their daily dose of minimal government and maximum freedom with The New Liberty Movement.

We know how important your privacy is and your information is SAFE with us. We’ll never sell
your email address and you can unsubscribe at any time directly from your inbox.
View our full privacy policy.