When Congress passed HIPAA back in 1996, the Internet was in its infancy. What we now know today as Google was a mere graduate program research project. “Going online” more often than not required a modem and an AOL account. Computer data storage was performed at the local level, and the idea of cloud-based computing was, if anything, best suited for sci-fi movies.
Of course, thanks to Moore’s law the computing world has drastically changed in the last 17 years. HIPAA, on the other hand, has not. So, when HHS released its long-awaited HIPAA Omnibus Rule at the end of January, the law had quite a bit of catching up to do with the technology that had outpaced it. Being a relatively new phenomenon, cloud computing was one such topic that the Omnibus Rule addressed.
For years, cloud-based healthcare vendors had tried to avail their organizations to the conduit exception to HIPAA. Broadly speaking, the conduit rule exempts entities from complying with HIPAA if they only transmit and do not access PHI (usually on behalf of a Covered Entity). In the buildup to the Omnibus Rule, PHR vendors, data storage companies, and other cloud-based providers lobbied HHS to broaden the scope of the conduit exception. In the rule, HHS relented, however, and narrowed the exception even further. The exception is only to be applied to electronic data transmission services (such as internet service providers) and their physical mail courier equivalents (such as USPS). In the post-Omnibus world, storing data – however brief in time – will almost certainly make you a Business Associate.
So what does this mean for cloud-based healthcare vendors and their customers? Simply put, HHS has definitively labeled these entities as Business Associates, and Covered Entities should be called on notice. If you are a CIO of a large healthcare organization which has outsourced data storage needs to a third party cloud provider, you better make sure you have a BAA in place with your vendor. OCR is actively searching out HIPAA noncompliance during their rapidly expanding audit program, and the nonexistence of a BAA is one of the most frequently cited concerns. Perhaps even more important is the need to monitor these Business Associates for their compliance with the law.
Vendor management should always be a priority for healthcare managers. The recent changes to HIPAA via the curtailing of the conduit exception should prompt managers to reevaluate their provider rosters.
With over two decades of technology entrepreneurship background, Krishna Kurapati started QliqSOFT with the strong desire to solve clinical collaboration and workflow challenges in US Healthcare. During the late 90s, Krishna co-founded IPCell to build the first Cable IP Telephony switch, eventually selling the company to Cisco Systems. In 2003, he started Sipera (acquired by Avaya Systems) to solve security issues for Unified Communications' and raised over $30MM in venture funding. Additionally, he has been actively involved in the early-stage financing of startups in both the US and India.
Engaging Patients and Connecting Care Teams Through Interactive Digital ConversationsLearn More
Cyber security attacks wreaked havoc on the healthcare industry last year. According to a recent article by Healthcare IT News, more than 40 million patient records were compromised by data breaches in 2021. As we move forward into a new year, many healthcare leaders wonder what to expect next. To find out more, we spoke with Krishna Kurapati, the founder and CEO of QliqSOFT.
Home COVID-19 tests kits are quickly growing in popularity as case numbers continue to rise throughout the U.S. At first, it seemed like home test kits would be a viable solution that could help combat long lines at overwhelmed testing centers.
This year, we will see a shift in how healthcare organizations utilize digital solutions. Over the last two years, during the pandemic, organizations in nearly every industry adopted digital solutions to address temporary challenges. However, as time went on, many of these solutions proved valuable tools, and attitudes towards digital health have changed significantly.