A recent set of updates to the Health Insurance Portability and Accountability Act may pave the way for more healthcare organizations to entrust sensitive patient data to cloud services companies. Under the new HIPAA Omnibus Final rule, every cloud IT provider that stores, transmits or otherwise handles any health information must work out a transparent agreement with the healthcare institution that is supplying the records. As such, the contract will identify what data and operations are subject to HIPAA, ideally encouraging greater care in handling them and reducing the number of massive, costly HIPAA breaches.
The importance of contractual transparency and shared risk
This change is welcome, as service-level agreements between cloud services companies and enterprises have often been marred by unclear language governing security obligations. A Gartner report from mid-2013 indicated that many businesses were unhappy with SLAs from cloud providers, sensing that the agreements made no guarantees that even privileged information would be kept safe.
In the event of a breach, organizations should not spend time wrangling with providers over who is accountable. Responsibilities must be defined before service begins, both for the benefit of business compliance and continuity, not to mention the underlying issue: Assurance of patient safety.
HIPAA breaches, since they involve personally identifiable information, can result in widespread identity theft, making it imperative that providers do not mishandle, leak or expose data. At the same time, providers must not squander the opportunity to truly improve healthcare data protection and compliance. More specifically, the cloud, if managed properly, eliminates many of the most common causes of HIPAA breaches, such as mismanaged local storage appliances.
HIPAA Omnibus makes cloud providers accountable
Originally passed into law in 1996, HIPAA was updated in January 2013 by the U.S. Department of Health and Human Services with new provisions concerning data governance. According to InformationWeek’s David Carr, the rules create shared risk between healthcare institutions and cloud providers. Previously, any HIPAA breach resulted in punishment being doled out only to the healthcare organization, with little to no repercussions for the cloud host.
Now, both parties must sign a business associate agreement, or risk possible legal action and government intervention. In a separate InformationWeek piece, Ken Terry pointed out that the difficulty of obtaining BAAs had discouraged many healthcare IT departments from moving forward with cloud deployments since they bore all risk.
“The HIPAA Omnibus Rule dramatically increased the scope of HIPAA Privacy and Security policy and the enforcement activities supported,” said Covisint chief medical information officer John Haughton, according to Healthcare IT News. “We see this as a positive development as it helps improve stakeholder trust in the cloud as a mechanism for clean, portable data.”
The risks and rewards of storing medical data in the cloud
In theory, scalable cloud services are the ideal solution for data-intensive medical applications and high-definition images. For example, apparatuses like picture archiving and communications systems require enormous amounts of storage and are only feasible if they allow for speedy remote access and their transmissions are secure. Rather than fight the losing battle of procuring more on-site storage to keep up with demand (while also struggling to share the items that are stored), organizations can tap into the virtually unlimited resources of the cloud.
“The need for flexibility in terms of access to the resources, the need to be able to share and collaborate, and analyze and manage the data suggest [healthcare] is a good environment for cloud solutions,” DNAnexus general counsel Lee Bendekgev told Web Industry Hosting Review.
However, accountability has remained a sticking point even for eager adopters. The specific issue of contractually-defined risk came to the fore during a recent incident affecting the Oregon Health and Science University. The institution informed over 3,000 individuals that their health information, including names, addresses, diagnoses and other medical data, was stored on Gmail/Google Drive.
Although the servers were technically secure and appear to have avoided breach, OHSU sent the notice due to the nature of its relationship with Google. In the service contract, the provider stipulated that it could utilize any stored data for the “purpose of operating, promoting, and improving [Google] Services, and to develop new ones.”
While such commercial tactics have a place in nurturing and refining cloud business, they create the very types of issues that the newest HIPAA modifications are designed to prevent. Ideally, such contractual hangups and privacy unease will dissipate as contracts become more transparent and are tailored to healthcare providers’ specific obligations.
Cloud technology may actually reduce HIPAA breaches
A study about electronic medical records, conducted by Covisint and broken down by Crain’s Detroit Business contributor Jay Green, found that the current healthcare system is still characterized by manual processes and on-site storage. These practices square with the industry’s cautious attitude toward cloud services that could jeopardize patient data, but they also reveal some of the roots of past HIPAA breaches.
In an article for Healthcare IT News, Bendekgev explained that two-thirds of major HIPAA breaches since 2009 have been triggered by the loss or theft of medical equipment, such as unencrypted laptops. Together, those incidents account for 73 percent of all patients affected by major breaches over the same timeframe, and they far outstrip the impact of external attacks.
Lack of encryption is a common weak point in healthcare security, since many organizations are so large and complex that it has taken years for them to devise and implement comprehensive encryption strategies. Fortunately, many cloud services provide automatic encryption of data at rest and in transit. Such amenities may enable the cloud, with proper contracts and shared risk in place, to improve compliance and protect patients.
“These data suggest that the implementation of IT systems that enable secure sharing of information without the need to transport it on a computer or storage media will go a long way toward eliminating the majority of large HIPAA breaches,” stated Bendekgev.
With the latest changes to HIPAA, the healthcare industry will ideally be able to take advantage of cloud services while knowing that providers are on their side, sharing risk and contributing to secure handling of patient data.