EGUIDE BRIDGING THE GAP BETWEEN HEALTHCARE & HIPAA COMPLIANT CLOUD TECHNOLOGY

Similar documents
FAQ: HIPAA AND CLOUD COMPUTING (v1.0)

THE STATE OF HEALTHCARE COMPLIANCE: Keeping up with HIPAA, Advancements in EHR & Additional Regulations

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

Am I a Business Associate? Do I want to be a Business Associate? What are my obligations?

My Docs Online HIPAA Compliance

Isaac Willett April 5, 2011

HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist.

HIPAA Compliance Guide

Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

HIPAA Compliance Guide

New HIPAA regulations require action. Are you in compliance?

Business Associates, HITECH & the Omnibus HIPAA Final Rule

The Challenges of Applying HIPAA to the Cloud. Adam Greene, Partner Davis Wright Tremaine LLP

Understanding HIPAA Regulations and How They Impact Your Organization!

FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS

Data Breach, Electronic Health Records and Healthcare Reform

Regulatory Update with a Touch of HIPAA

Am I a Business Associate?

BUSINESS ASSOCIATES AND BUSINESS ASSOCIATE AGREEMENTS

HIPAA OMNIBUS RULE: EXPANDED COMPLIANCE REQUIREMENTS

Bridging the HIPAA/HITECH Compliance Gap

Protecting Patient Information in an Electronic Environment- New HIPAA Requirements

Security & Privacy Strategies for Expanded Communities. Deven McGraw Partner Manatt, Phelps & Phillips LLP

Business Associate Considerations for the HIE Under the Omnibus Final Rule

HIPAA Compliance and the Protection of Patient Health Information

HIPAA COMPLIANCE AND

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview

Objectives 5/5/2015. Quality Health Associates (QHA) of ND

6/17/2013 PRESENTED BY: Updates on HIPAA, Data, IT and Security Technology. June 25, 2013

COMPLIANCE ALERT 10-12

Datto Compliance 101 1

OCR UPDATE Breach Notification Rule & Business Associates (BA)

HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help

OCR/HHS HIPAA/HITECH Audit Preparation

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1

Welcome. This presentation focuses on Business Associates under the Omnibus Rule of 2013.

The benefits you need... from the name you know and trust

troinet.com When It Comes to HIPAA Compliance, Ignorance of the Law Is No Excuse

Why Lawyers? Why Now?

HIPAA and HITECH Compliance for Cloud Applications

Department of Health and Human Services. No. 17 January 25, Part II

Business Associate Liability Under HIPAA/HITECH

Cloud Computing and HIPAA Privacy and Security

Securing Patient Portals. What You Need to Know to Comply With HIPAA Omnibus and Meaningful Use

HIPAA, PHI and . How to Ensure your and Other ephi are HIPAA Compliant.

Dissecting New HIPAA Rules and What Compliance Means For You

HIPAA Audits and Compliance: What To Expect From Regulators and How to Comply

OCTOBER 2013 PART 1. Keeping Data in Motion: How HIPAA affects electronic transfer of protected health information

Somansa Data Security and Regulatory Compliance for Healthcare

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

Key HIPAA HITECH Changes. Gina Kastel, Partner, Health and Life Sciences

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

HIPAA BUSINESS ASSOCIATE AGREEMENT

Cybersecurity in the Health Care Sector: HIPAA Responsibilities from a Legal and Compliance Perspective

Tools to Prepare and Protect Your Practice for HIPAA and Meaningful Use Audits

Sunday March 30, 2014, 9am noon HCCA Conference, San Diego

Meeting the HIPAA Training and Business Associate Requirements Questions and Answers, with HIPAA Security Expert Mike Semel

Use & Disclosure of Protected Health Information by Business Associates

Meaningful Use and Security Risk Analysis

Faster, Smarter, More Secure: IT Services Geared for the Health Care Industry A White Paper by CMIT Solutions

HIPAA 101. March 18, 2015 Webinar

The HIPAA Security Rule: Cloudy Skies Ahead?

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE

HIPAA: AN OVERVIEW September 2013

HIPAA/HITECH and Texas Privacy Laws Comparison Tool Updated 2013

Secure HIPAA Compliant Cloud Computing

BUSINESS ASSOCIATE AGREEMENT ( BAA )

HIPAA Compliance Calendar

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

The Bridge from SolutionStart

HIPAA Compliance Issues and Mobile App Design

HIPAA and HITECH Compliance Under the New HIPAA Final Rule. HIPAA Final Omnibus Rule ( Final Rule )

Presented by Jack Kolk President ACR 2 Solutions, Inc.

What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers

THE IMPORTANCE OF ENCRYPTION IN THE HEALTHCARE INDUSTRY

New HIPAA Rules and EHRs: ARRA & Breach Notification

Cloud Computing, Part Three: Health Care in the Cloud Think You are Doing Fine on Cloud Nine? Think Again. Better Get Off of My Cloud

What Virginia s Free Clinics Need to Know About HIPAA and HITECH

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable:

HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services

HHS announces sweeping changes to the HIPAA Privacy and Security Rules in the final HIPAA Omnibus Rule

Cloud Computing & Health Care Organizations: Critical Privacy & Security Issues - December 16, 2015

University Healthcare Physicians Compliance and Privacy Policy

Business Associate Agreement

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT

Answering to HIPAA. Who Answers Your Phone? Prepared by Kenneth E. Rhea, MD, FASHRM. Brought to you by.

The HIPAA Omnibus Final Rule

ACO Accountable Care Organizations Cooperative Healthcare Requires Cooperative Security It s a Team Sport.

THE IMPORTANCE OF ENCRYPTION IN THE HEALTHCARE INDUSTRY

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Implications of HIPAA Requirements on Healthcare Payment Processing

Remote Access to a Healthcare Facility and the IT professional s obligations under HIPAA and the HITECH Act

Managing data security and privacy risk of third-party vendors

Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information

Transcription:

Bridging The Gap Between Healthcare & Hipaa Compliant Cloud Technology and outsource computing resources to external entities, would provide substantial relief to healthcare service providers. Data stored in the cloud is available on-demand and requires no expensive equipment, physical home or hired staff to manage and maintain it. Overview In the healthcare sector, the storing and sharing of sensitive digitized patient data has become a significant undertaking and is a heavy burden on resources. Preparation for a complete conversion from paper medical records to electronic health records (EHR) by 2015 has independent practitioners and small healthcare entities making significant investments in equipment, hardware and software, and tech-savvy personnel. Rather than focusing on the delivery of core patient care services, they must now worry about IT infrastructure issues, underlying network constraints and data center accessibility as well. This is problematic as very few medical offices or small health service organizations can afford to employ dedicated IT staff. In this context, it is obvious that cloudbased solutions, which consolidate But while other business sectors have fully embraced the cloud for cheaper, more flexible, scalable and secure computing, many in the healthcare sector have yet to entertain putting patient data into the cloud. HIPAA-driven security and privacy concerns have been a serious deterrent. This is about to change. Recent modifications to the HIPAA Privacy, Security, Enforcement and Breach Rules have made it clearer that data center operators are to be classified as business associates under HIPAA. This means cloud-service providers are required by law to report and respond to data breaches and uphold their obligation to properly protect and secure patient info. These modifications are a game changer because they now assure covered entities such as doctor offices, hospitals, and health insurers that they can remain HIPAA compliant while adopting cloud technology. 1

Cloud Computing in Healthcare Sector Projected to Grow According to recent report by the research firm Markets and Markets, although the healthcare sector has been notoriously slow when it comes to adopting new technology trends, the cloud computing market in this sector is projected to grow to $5.4 billion by 2017. Breaking Down HIPAA and the Cloud The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was upgraded in 2009 with the Health Information Technology for Economic and Clinical Health (HITECH) ruling addressing the growing use of digitized medical records. HITECH was introduced to provide federal funding to deploy EHR and establish a protocol for protecting the electronic storage and transmission of Protected Health Information (PHI). [PHI is defined as any information obtained, used or disclosed in the course of providing a healthcare service- -treatment, payment, operations or medical records--that can be used to identify an individual.] Compliance with HIPAA requires the reporting of any potential unauthorized PHI access. Because any impermissible access, use, or disclosure of PHI can severely damage an organization s reputation, as well as levy penalties varying from $100 to $50,000 for first time offenders, it is understandable that many in the healthcare industry have chosen to avoid migrating patient data to the cloud unless they re absolutely certain that a cloud-service provider (CSP) is HIPAA compliant. Cloud-Service Providers as HIPAA Business Associates Over the past five years, there has been much confusion whether cloudservice providers were classified as business associates (BAs) under HIPAA. The Department of Health and Human Services holds BAs accountable for certain required privacy and security obligations to protect PHI data, upholding them to a signed Business Associate Agreement (BAA). If confidential health data is compromised, the Associate is liable for responsibilities on their end. The HIPAA privacy rule defines a BA as a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. Since most CSPs maintain PHI on behalf of either the covered entity or another BA that subcontracts them, 2

one would assume they d be deemed a BA themselves. But that hasn t always been the case due to some ambiguous language that originally accompanied the regulation, language that was only just recently modified to expand the scope of BAs as defined by HIPAA. The Old Rule... Data transmission organizations that the Act requires to be treated as business associates are those that require access to protected health information on a routine basis. Conversely, data transmission organizations that do not require access to protected health information on a routine basis would not be treated as business associates. As you can see, this language easily leaves access on a routine basis up to interpretation. For instance, although it states that HIPAA requires those accessing PHI data on a routine basis be treated as BAs, some CSPs felt they were mere conduits of protected data not very different than courier services or postal services, having only random or infrequent access to public health information as they transport/share it with others. These CSPs would often argue that a signed BAA wasn t necessary, thus avoiding the added due diligence or security control requirements and liability. Take a high-volume Platform-as-a- Service (PaaS) for example. Here the CSPs primary role is to provide storage services that enable the covered healthcare entity s staff, such as a doctor s office, to routinely look at data stored remotely. While the CSP providing the PaaS bears responsibility for maintenance and upgrades to the hardware, software and the operating system, they don t touch the actual PHI data all that much. Therefore, a CSP offering PaaS doesn t necessarily have the same level of PHI access as a cloud provider using Softwareas-a-Service (SaaS) who must grant their personnel daily access to PHI. A similar argument could be made for a CSP who maintains encrypted PHI for a covered healthcare entity but doesn t hold the encryption key. This uncertainty was the reason for much of the healthcare sector s reluctance to take to the cloud. If a cloud-service provider (CSP) didn t feel the need to sign a BAA, and the patient info they managed was breached, the covered healthcare entity, not the CSP, would be fined. 3

The New Rule... A data storage company that has access to protected health information (whether digital or hard copy) qualifies as a business associate, even if the entity does not view the information or only does so on a random or infrequent basis. Thus, document storage companies maintaining 26 protected health information on behalf of covered entities are considered business associates; regardless of whether they actually view the information they hold. To help clarify this point, we have modified the definition of business associate to generally provide that a business associate includes a person who creates, receives, maintains, or transmits (emphasis added) protected health information on behalf of a covered entity. The new HIPAA Omnibus Rule further clarifies that BAs and subcontractors of BAs are directly liable for compliance with certain HIPAA Privacy and Security Requirements. This has calmed skeptics, resulting in a healthcare industry now actively looking to cloud-based solutions. How Cloud Computing Enables Industry Advancements When it comes to staying on top of industry trends, those in the healthcare sector utilizing cloud computing will undoubtedly have an advantage over those slow to adapt to change. The Internet is more widely used now by both patients and those providing health services. Today s patient desires anytime/anywhere access to health-related information and physicians may need access to digitized health data such as MRI scans, ultrasound images, or mammograms. Patient information must also be accessed for clinical decision-making such as potential prescription drug interactions or the American Recovery and Reinvestment Act of 2009 (ARRA) funded community health information exchanges (HIEs) that enable health providers and insurers to share a patient s medical records with his or her permission. The cloud supports all of these. In many ways, cloud computing levels the playing field as its affordable benefits are available to anyone from a small physician s office or non-profit to large organizations or insurers. This fosters an all-inclusive collaboration that isn t restricted to only large institutional players. 4

Major Benefits of the Cloud for the Healthcare Sector Security Ironically, the biggest concern most healthcare entities have about taking to the cloud is one of its biggest strengths. Recent updates have made CSPs as responsible and liable for HIPAA compliance as the healthcare institutions that hire them. CSPs must ensure that data is encrypted, backed up, easily recoverable, and secured with permission-based access. Costs Reduced costs are an incentive for healthcare entities to take to the cloud. Costs are dramatically cut since the cloud moves everything into a virtual environment, eliminating the need for costly hardware, software, maintenance, data center space, and IT labor. Payas-you-use fees requiring little-to-no capital investment replace these often overwhelming up-front capital expenses. Scalability With the 2015 EHR conversion deadline nearing, and the fact that health service providers are generally required to maintain patient medical records for at least six years, it s easy to anticipate that managing such a high volume of patient data will inevitably stress any on-site IT infrastructure. But the cloud presents a scalable alternative where additional server or storage capacity is available as needed. Mobility - The cloud improves a physician s ability to remotely access readily available patient information. This enables even the busiest physician to review a patient s medical records or test results even after they leave the office. Sharing Cloud computing keeps physicians better connected to not just their patients but their colleagues as well. Patients will notice benefits to medical professionals being able to share patient information online for example, referrals to specialists will be more timely, there will be less paperwork to fill out with each office visit, and no unnecessary repeat diagnostic tests. Are You Ready for This Transition? The transition to cloud computing is underway in the industry. For healthcare service providers, it is no longer a question of if they will transition to the cloud, but when they can start benefiting from its potential savings and all of its capabilities. Healthcare is a heavily regulated industry and cloud computing will continue to evolve to meet the industry s growing security requirements and regulatory mandates. Many legitimate CSPs familiar with the healthcare sector already have strict security protocols in place to comply with regulations and will not hesitate 5

to sign a BAA when asked. It is best to choose a CSP cautiously. Avoid any CSP who refuses to sign a BAA and carefully evaluate even those who do to get a feel for their stability, level of service, and delivery on promises. EGUIDE BRIDGING THE GAP Taking care of people - not your IT infrastructure - is your core service. Why not put the money being spent right now on hardware, software and equipment back into patient care while actually strengthening patient data integrity and security? Contact us today if you d like to learn more about HIPAA compliant cloudbased technology. For Additional Information Please Contact Jamie Stewart jstewart@mvpworks.com T: 716 362 7592 F: 716 630 1703 1297 Hertel Avenue, Buffalo, New York 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information