From: GovInfoSecurity
How Privacy, Security Rule Modifications Will Apply
While a privacy advocate is demanding federal guidance on how to protect health information in the cloud, one federal official says the soon-to-be-modified HIPAA privacy and security rules will apply to all business associates, including cloud vendors, helping to ensure patient data is safeguarded.
Joy Pritts, chief privacy officer in the Office of the National Coordinator for Health IT, a unit of the Department of Health and Human Services, made her comments about HIPAA during a Jan. 7 panel discussion on cloud computing hosted by Patient Privacy Rights, an advocacy group.
The movement of health information to the cloud is inevitable, Pritts acknowledged. That’s particularly true for smaller healthcare organizations that are turning to cloud providers to host electronic health records to help reduce start-up costs.
The shift to cloud computing “reminds me of the mobile area, where technology and practices are ahead of policy,” Pritts said. The HIPAA modifications, however, will help ensure that cloud vendors take adequate steps to protect patient data, she added, stopping short of saying whether federal regulators are likely to eventually issue any cloud-specific guidance.
Deborah Peel, M.D., founder of Patient Privacy Rights, last month sent a letter to the Department of Health and Human Services’ Office for Civil Rights urging HHS to issue guidance to healthcare providers about data security and privacy in the cloud.
“The letter … asks that [HHS] look at the key problems in cloud … and what practitioners should know and understand about security and privacy of health data in the cloud,” Peel said during the panel.
Shift to the Cloud
The pending HIPAA modifications clarify that all business associates with access to patient data must comply with the privacy and security rules, Pritts pointed out. “That brings cloud services under direct regulations of HIPAA,” she said. For example, all business associates will be required to use encryption to protect data or document the use of a reasonable alternative method.
Leave a Reply