From: HealthITsecurity
Author Name: David Canellos
HIPAA covered entities as well as many of their business associate (BA) service providers, including cloud service providers, were bound to the HIPAA Omnibus Rule on Sept. 23, 2013. Part of the reason for the HIPAA Omnibus Rule was to ensure patients’ privacy is protected regardless of where their information is stored, including the cloud.
By implicating every covered entity and BA, HIPAA is holding all parties that come in contact with patient data responsible in the event of a breach. When the BAs and covered entities are held responsible, they are more likely to take the necessary security measures to protect themselves and the data. And given the headlines regarding cyber-security threats, who could argue against the wisdom of this objective?
New HIPAA guidelines make entities that are defined as BAs directly accountable if they run afoul of the regulations. And the rules they must play by have gotten tougher as well. For example, in the area of data breaches, BAs previously only needed to notify covered entities in breach cases that could result in significant risk of financial/reputational harm. But under the new rule, any disclosure of patient data is subject to notification (unless the BA can demonstrate a low probability that the PHI has been compromised).
But covered entities need to understand that are not off the hook if their BA runs afoul of HIPAA requirements. While BAs are directly liable under HIPAA, covered entities are also directly held responsible for any actions of their BAs. This fact alone makes a great case for taking time and following a rigorous process when selecting your cloud-based service providers.
Encryption, tokenization and the cloud-based BA
Earlier I mentioned the idea of PHI being stored and processed in the clear while under the control of the cloud service providers (BAs) of the covered entities. But what if the information was not in the clear? What if it was strongly encrypted or tokenized and, as a result, unreadable in the systems of the cloud-based BA? And what if only the covered entity – not the BAs – had access to the means to bring the data back into the clear? The benefits to both parties would include:
Leave a Reply