Remember how when you were a kid, and you went to spend the night at a friend’s house, you were faced with all kinds of new and different ‘rules of the house’? Maybe your friend’s parents made you eat whatever was on your plate at dinner (lima beans, anyone?), or you had to be in bed with lights out at a certain hour. Whatever the rules were, as a guest, you were expected to follow them.
The new HIPAA Omnibus rule, which went into effect on March 26th, 2013, is kind of like staying at a friend’s house – though the rules are way more complicated, and the penalty for non-compliance can be significantly more costly. If you are a provider – or user – of public cloud services, there are a number of key changes you need to know.
HIPAA Omnibus expands the definition of ‘business associate’
The original HIPAA HITECH guidelines apply to healthcare organizations, insurance companies and other primary handlers of protected health information (PHI). One of the most notable additions in the HIPAA Omnibus rule is that business associates of these primary handlers must now also be HIPAA compliant. All existing and new organizations must achieve compliance by September 23rd, 2013.
HIPAA and the cloud
First, the new HIPAA rules very specifically define cloud service providers (CSPs) as business associates.
‘…document storage companies maintaining protected health information on behalf of covered entities are considered business associates, regardless of whether they actually view the information they hold.’
Consequently, if a CSP wants to make the necessary investments to ensure their infrastructure and practices are HIPAA-compliant, there is significant opportunity to court business from organizations that are governed by HIPAA.
But what if you are on the other side of the equation? If you are a company that wants to outsource your infrastructure, you have a number of considerations:
- Find a CSP that offers a HIPAA-compliant cloud offering. Ideally, they should be able to validate that they have met the HIPAA compliance requirements as defined by the Office for Civil Rights (OCR) through an independent audit.
- Get your CSP to sign a Business Associate Agreement, which will ensure they take on appropriate responsibility for their side of HIPAA compliance.
- Make sure that you connect the dots between your infrastructure and that of your CSP from a compliance standpoint. You don’t want to leave any security holes that might be exposed during data transfer.
- Compliant does not always mean secure. If you want to prevent costly notification in the event of a breach, make sure your data is encrypted, and that you hold and maintain your encryption keys.
Updated Breach Notification
Another significant change in the law is that the threshold for breach notification is much lower. Previously, you only had to notify the U.S Department of Health and Human Services (HHS) if a breach posed “significant risk of reputational, financial or other harm” to individuals.
The new Omnibus standard dictates that a breach of ‘unsecured’ protected health information must be reported unless the covered entity or business associate (using a multi-factor risk assessment) determines that there is a low probability that the PHI has been compromised by unauthorized use or disclosure. (You can find the details on page 5695 of the Federal Register, if you’d like to understand more about your legal obligations for notification).
The register explains:
“Unsecured protected health information means protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in the guidance issued under section 13402(h)(2) of Public Law 111–5.”
The short translation? Encrypt the data to make sure only those who are authorized can see it.
More Costly Penalties
HIPAA-covered entities, and now, their business associates, should also be aware of the penalties that are now imposed with the HIPAA Omnibus rule. HHS may impose civil monetary penalties up to $1.5 million for violations within a calendar year. Note that this is not a ‘maximum’ penalty, as WellPoint discovered recently when they were asked to pay HHS $1.7 million for leaving information exposed over the internet. HIPAA Omnibus indicates that this maximum penalty can be assessed for each violation, making the total penalties potentially much higher.
Also, under the Omnibus Rule, covered entities and business associates are now potentially liable for the acts of their respective business associate agents, so make sure your business associate contracts are crystal clear.
One final point is that this new rule mandates that HHS is required to initiate a formal investigation when a party appears to have exhibited willful neglect (previously, investigation was at HHS’s discretion.)
From my perspective, HIPAA Omnibus brings some clarification for organizations that want to use the cloud. Yes, you must understand what your provider brings to the table. But you are also ultimately responsible for your clients’ PHI. Finding a compliant provider is also not enough.
Have you taken HIPAA-covered data to the cloud? If so, what have you learned? If not, what’s holding you back?