The compliance date for the HIPAA omnibus final rule is one month away -- September 23. This means that healthcare providers, health plans, covered entities and their business associates must comply with the final rule which states that business associates, as well as their subcontractors, must meet strict HIPAA security requirements if they receive, create, maintain or transmit protected health information on behalf of a covered entity.* Failure to comply can result in substantial fines levied by the U.S. Department of Health and Human Services.
The final rule requires covered entities and their business associates to conduct a security risk assessment; review their existing security, privacy and breach notification policies and procedures and amend their business associate agreements (BAA) to align with their revised policies.
If a cloud provider receives, creates, maintains or transmits protected health information on behalf of a covered entity that cloud provider is considered a business associate which makes the covered entity financially liable if a breach were to occur.
There are many cloud providers that tailor their solutions to the healthcare industry and many of these providers will sign a BAA under certain conditions. One of these conditions has to do with who retains the encryption keys. An encryption key is a piece of data that an encryption algorithm uses to determine exactly how to unscramble (or unlock) the protected health information.
According to Natalie Mosallam, chief health IT counsel at Verizon, "Under the final rule, cloud vendors that hold the encryption keys to a healthcare customer's data (protected health information), are business associates. Under the final rule, however, if a cloud vendor does not hold the encryption keys to that data, the law is grey in terms of whether that cloud provider is a business associate. Verizon is willing to take on applicable business associate responsibilities for qualifying healthcare enabled services."
Verizon will sign a BAA with a healthcare customer if they request it regardless of who holds the encryption keys.
There are many important factors to consider as we near the Sept 23, 2013 deadline. You can read "Healthcare Business Associate Agreement (BAA) - The Devil's in The Details". In the article I present a collection of published articles that address the importance to healthcare entities of selecting the right cloud provider in light of the HIPAA omnibus final rule.
Having an updated BAA in place with a financially secure organization such as Verizon is critical for healthcare providers and healthcare organizations to properly safeguard patient health information. To learn more, please visit, here.
Also of note, the American Medical Association published a summary report concerning the impact the final rule has on physicians and other healthcare providers that you may find helpful. You can read the report here. **
[Source:* http://www.hhs.gov/ocr/privacy/hipaa/administrative/omnibus/index.html]
[Source: ** http://www.ama-assn.org/resources/doc/washington/hipaa-omnibus-final-rule-summary.pdf]
