The HIPAA Omnibus Rule regulations encourage business associates to healthcare companies to share responsibility for data breaches. These new regulations involve signing “Business Associate Agreements” with providers, yet are likely to strengthen trust in cloud security, and allow more healthcare entities to enjoy the benefits of the cloud while ensuring that patient privacy is maintained.
In the recent past, organizations were hesitant to move sensitive healthcare information to the cloud. The cloud was unfamiliar and seemed to be less safe than crunching data on company hardware. But now that cloud service providers are taking on a big slice of responsibility for their clients’ data security, cloud computing is much more attractive. Not only is it perceived to be safer, but it transfers some of the responsibility for security from the healthcare company to the cloud provider, making it a safer choice than going it alone.
In fact, a recent study (conducted in Aug 2013 by Imprivita) shows that the use of cloud-based applications and services in healthcare is up significantly from last year. A full 30 percent of respondents said they currently use cloud computing. In 2012, the number was only nine percent. And 40 percent of those respondents said they have moved their Private Health Information (PHI) into the cloud (also up from nine percent last year).
The new reality does bring with it some challenges. Business Associate Agreements (BAA’s) define the relationship between the provider and the healthcare organization. Some cloud providers set their own conditions which customers must meet in order to get a BAA. And the customers themselves , are asking questions such as how the provider will react to a security breach, or about the length of incident response time.
Although each BAA is a little different, the US Department of Health and Human Services provides a list of the necessary components of a BAA. The 10 crucial elements are:
- The contract must establish the permitted and required uses and disclosures of protected health information by the BA.
- It must provide that the BA will not disclose any other information other than what has been permitted in the agreement.
- The BA must implement safeguards to protect PHI, including electronic records.
- BA must disclose to the healthcare organization any use or disclosure of information not provided for in the contract, including security breaches.
- BA’s must disclose private health information to the healthcare provider when the patient requests it.
- The BA must follow all regulations set out in the Privacy Rule.
- The BA must make available to the healthcare organization its books, records and internal practices relating to use and disclosure of PHI.
- When the contract is terminated, the BA must return or destroy all PHI.
- Any subcontracters engaged by the BA are required to abide by the same regulations as the BA.
- If the BA violates any of the terms of the contract, the contract will be terminated.
These clear guidelines make it easier for healthcare organizations to venture into cloud computing.
HIPAA Compliant Organizations Turn to Data Encryption
Not only are more healthcare organizations looking to the cloud, but many businesses are now turning to data encryption as the most cost-effective and efficient method of data protection and breach notification. This is becoming the accepted best practice, and allows so-called “Safe Harbor” for a HIPAA compliant entity if a breach does occur.
Data encryption provides a kind of “mathematical wall” that replaces the old walls of the physical world. As long as the owner of the data keeps the encryption keys to himself, this is actually quite effective. And “Safe Harbor” rules from the Health and Human Services administration (HHS) mean that – if you can prove that the data was encrypted and the encryption keys kept safe – you will avoid many of the fines and reporting requirements should something go wrong.
As healthcare providers and their business associates adjust to the new HIPAA regulations, it is expected that more of them will take advantage of data encryption and benefit from the efficiency of cloud computing.