For a long time, the cloud wasn’t getting a lot of love from healthcare organizations. Their CEOs didn’t understand it. Their CIOs weren’t familiar with it. Both were concerned about lack of security ─ and even more concerned about possible implications of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Things are changing, and it is in part due to the HIPAA Omnibus Rule. Known as “the final rule,” the HIPAA Omnibus Rule is actually a compilation of updates to the regulations the U.S. Department of Health & Human Services administers under HIPAA.
It clarifies the legal framework for healthcare organizations to work with cloud service providers (CSPs) and other external data services providers, and dramatically increases the scope of HIPAA and the enforcement activities supported.
Under the final rule, CSPs, classified as “business associates” (BAs), now must meet many of the same HIPAA requirements as their healthcare customers. They are also required to sign “business associate agreements” (BAAs), which spell out how they will report and respond to a data breach, including those caused by their subcontractors.
This translates into greater peace of mind for healthcare organizations deploying cloud solutions as IT and the CSPs now share responsibility for meeting stringent HIPAA requirements as it relates to electronic protected health information (ePHI). Simply put, both are responsible for keeping patient data secure. Both suffer the consequences if that data is compromised.
The final rule significantly increases fines for data breaches, meaning organizations face much greater risk when it comes to IT security and HIPAA compliance ─ providing greater impetus for CSPs to make sure they have the controls in place to protect their customers’ ePHI to avoid potential breaches.
While HIPAA has been considered by some to be among the obstacles to cloud services adoption in the healthcare industry, the HIPAA Omnibus Rule may prove to be an enabler of cloud services technologies instead. And with the move to shared responsibilities between CSPs and their customers, this could pave the way for increased acceptable by other highly regulated industries as well.