Cloud Computing and Healthcare: Understanding the HIPAA Omnibus Rule

Note: This is blog 2 of 4 in our HIPAA series.

Now that you’re equipped with a basic understanding of HIPAA provisions, and how they apply to Covered Entities (CEs) and Business Associates (BAs), it’s time to dig deeper and look at some of the most important changes to this legislation during the last few years. The Omnibus Rule is the most relevant to health care because it governs, at least in part, the way health agencies leverage and interact with cloud computing services.

HIPAA highlights

Before diving into HIPAA changes and cloud compliance highlights, here’s a refresh: The Health Insurance Portability and Accountability Act (HIPAA) was adopted in 1996 and lays out specific regulations for companies that handle electronic protected health information (ePHI). Critically, these companies are responsible for keeping records of all disclosures of PHI, encrypting all PHI, and meeting other HIPAA security standards. Failure to comply—even through ignorance—can result in a $50,000 fine for the first offense and $1.5 million for the same offense in a calendar year.

Changing conditions

Think of HIPAA like a living piece of legislation that is constantly being assessed and modified to fit current needs. As a result, changes have emerged in recent years which impact both first-party health agencies and third-party providers.

According to HIPAA Journal, the Security Rule as revised in 2013 lays out specific administrative, physical, and technical safeguards that must be in place to ensure data security. These include Business Associate Agreements (BAAs) with third parties who access PHI, controls for devices and media used to store ePHI, and limits on who can remotely access ePHI. In addition, the impermissible use or disclosure of protected health information (that is, a violation of the HIPAA Privacy Rule) is presumed to be a breach unless the CE or BA, as applicable, demonstrates that there is a low probability that the protected health information has been compromised, such as through the use of strong encryption.

The new rules that became effective in 2013 also included changes such as:

   •     Expanded patient rights to request copies of their ePHI in electronic form.
   •     Prohibited the sale of health information for marketing or fundraising without patient permission.
   •     Introduced risk assessment methodology to determine the probability of ePHI compromise.

More recently, The U.S. Department of Health and Human Services released guidance on the applicability of HIPAA to cloud service providers (CSP). As noted by Becker Hospital Review, any CSP engaged by a CE to host ePHI becomes a BA by default, meaning they need to sign a BAA to comply with HIPAA’s requirements for BAs. CSPs must comply with certain breach notification requirements if their network is breached and results in unauthorized access to unencrypted ePHI, which includes prompt warning to the CE that their information may have been compromised.

 

Safe haven?

It’s important to note that cloud computing is not a “safe haven” from HIPAA compliance. If CEs permit CSPs to host or back up ePHI data without the proper agreements and precautions in place, both the CE and CSP could face Office for Civil Rights audits and fines for failing to comply with HIPAA regulations.

HIPAA continues to evolve as technology advances and new cybersecurity threats emerge. Although cloud computing is now a viable way to store and transmit ePHI, CEs and CSPs must take precautions to ensure HIPAA compliance. As required by HIPAA, Mozy by Dell offers appropriate safeguards—including those for encryption, password restrictions, and data storage—to help you protect and secure the electronic health information you work with and store.

Up next: Key causes of a health data breach. Find out how your CE can both detect new threats and safeguard patient information.