When Congress passed HIPAA back in 1996, the Internet was in its infancy. What we now know today as Google was a mere graduate program research project. “Going online” more often than not required a modem and an AOL account. Computer data storage was performed at the local level, and the idea of cloud-based computing was, if anything, best suited for sci-fi movies.
Of course, thanks to Moore’s law the computing world has drastically changed in the last 17 years. HIPAA, on the other hand, has not. So, when HHS released its long-awaited HIPAA Omnibus Rule at the end of January, the law had quite a bit of catching up to do with the technology that had outpaced it. Being a relatively new phenomenon, cloud computing was one such topic that the Omnibus Rule addressed.
For years, cloud-based healthcare vendors had tried to avail their organizations to the conduit exception to HIPAA. Broadly speaking, the conduit rule exempts entities from complying with HIPAA if they only transmit and do not access PHI (usually on behalf of a Covered Entity). In the buildup to the Omnibus Rule, PHR vendors, data storage companies, and other cloud-based providers lobbied HHS to broaden the scope of the conduit exception. In the rule, HHS relented, however, and narrowed the exception even further. The exception is only to be applied to electronic data transmission services (such as internet service providers) and their physical mail courier equivalents (such as USPS). In the post-Omnibus world, storing data – however brief in time – will almost certainly make you a Business Associate.
So what does this mean for cloud-based healthcare vendors and their customers? Simply put, HHS has definitively labeled these entities as Business Associates, and Covered Entities should be called on notice. If you are a CIO of a large healthcare organization which has outsourced data storage needs to a third party cloud provider, you better make sure you have a BAA in place with your vendor. OCR is actively searching out HIPAA noncompliance during their rapidly expanding audit program, and the nonexistence of a BAA is one of the most frequently cited concerns. Perhaps even more important is the need to monitor these Business Associates for their compliance with the law.
Vendor management should always be a priority for healthcare managers. The recent changes to HIPAA via the curtailing of the conduit exception should prompt managers to reevaluate their provider rosters.
With over two decades of technology entrepreneurship background, Krishna Kurapati started QliqSOFT with the strong desire to solve clinical collaboration and workflow challenges in US Healthcare. During the late 90s, Krishna co-founded IPCell to build the first Cable IP Telephony switch, eventually selling the company to Cisco Systems. In 2003, he started Sipera (acquired by Avaya Systems) to solve security issues for Unified Communications' and raised over $30MM in venture funding. Additionally, he has been actively involved in the early-stage financing of startups in both the US and India.
Engaging Patients and Connecting Care Teams Through Interactive Digital ConversationsLearn More
Prior to the pandemic, telehealth visits ─ delivering patient-provider visits virtually ─ was an afterthought in the care continuum — ill-regarded and little-used beyond patients in rural areas who had few care choices. Virtual visits comprised less than 1% of all outpatient visits. Private insurers generally follow guidelines from the Centers for Medicare & Medicaid Services (CMS), which allowed telehealth in only limited circumstances and paid at 30% below in-office reimbursement rates.