What Do HIPAA Rule Changes Mean for Cloud Providers?
If you are a cloud provider that serves the healthcare industry, or a health organization that uses one, it’s important to understand how recent changes to HIPAA (Health Insurance Portability and Accountability Act) affect you and your business relationships. Here’s a high-level overview.
When HIPAA was first introduced by the U.S. Department of Health and Human Services (HHS) in 1996, it was very different from today’s regulations. For much of HIPAA’s existence, responsibility for protection of patient privacy rested on the shoulders of “covered entities” (healthcare providers, health plans or healthcare clearinghouses) that deal directly with patients’ protected health information (PHI). Service providers that, “create, receive, maintain, or transmit PHI for a covered entity,” were considered “business associates” whose privacy and security responsibilities were usually defined at a contractual level through a Business Associate Agreement. These third parties were usually outside the line of fire, and enforcement was generally lax prior to 2012.
The Health Information Technology for Economic and Clinical Health Act (HITECH Act), part of the American Recovery and Reinvestment Act (ARRA) of 2009, began to change the dynamics by providing incentives to healthcare providers to invest in IT infrastructure and adopt electronic health record (EHR) systems. Digitization of medical information precipitated exponential growth in electronic protected health information (ePHI) and a shift toward cloud-based technologies to facilitate the exchange and storage of the data. This changing paradigm forced regulators to rethink how to protect ePHI. So, part of HITECH expanded the scope of HIPAA privacy protections, including making business associates liable for compliance, expanding breach notification requirements, and increasing legal implications and enforcement for non-compliance.
When the Final Omnibus Rule went into effect on March 26, 2013 (with a compliance deadline of October 26) it further expanded the definition of business associates and their [now direct] compliance responsibilities to include down-stream subcontractors as well. That means, nearly every link in the PHI chain, from covered entities to cloud providers and subcontractors that fit the definition of a business associate, must now implement full compliance programs and are liable, whether or not required Business Associate Agreements are in place.
At a 10,000-foot level, here are the main areas that cloud providers and other business associates now must consider:
HIPAA Privacy Rule
This rule establishes requirements for protecting and safeguarding the privacy of PHI, as well as the conditions and limits on the use and disclosure of such information without authorization.
HIPAA Security Rule
The Security Rule seeks to prevent unauthorized access to PHI. For cloud providers and their business associates, that means formalizing and maintaining reasonable technical, physical and administrative safeguards to protect patient data. It requires all parties with ePHI access to take reasonable steps to identify and mitigate anticipated threats to the security, integrity or unauthorized disclosure of protected information.
HIPAA Breach Notification Rule
This rule mandates timely notification of affected parties should a breach in privacy or security of unsecured PHI occur. It specifies that covered entities own the responsibility to notify all those affected by a potential breach in addition to HHS. It requires business associates to notify covered entities of a breach within 60 days of discovery. It requires documentation that all required notifications were made, or proof that there was no disclosure.
HIPAA Enforcement Rule
As mentioned above, heightened enforcement is a big part of the changes. This rule defines violation categories, levels and associated penalties. Violations range from Reasonable Diligence (where suitable actions were taken to comply) with relatively small penalties, to Willful Neglect (including intentional failure to comply or reckless indifference) with fines as much as $1.5 Million and possible criminal charges. Be proactive when it comes to compliance!
The bottom line is that applicable cloud providers (whether you are one or use one), and downstream business associates must understand their responsibilities under HIPAA and take formal steps for full compliance. Measures include appropriate risk analyses and HIPAA audits and ensuring that policies, procedures and Business Associate Agreements are in place for every link in the chain. It’s a good idea to consult with a compliance expert and learn more about the specifics of the latest regulations. You can find HIPAA information and resources on the HHS site at http://www.hhs.gov/ocr/privacy/index.html.