When Congress passed HIPAA back in 1996, the Internet was in its infancy. What we now know today as Google was a mere graduate program research project. “Going online” more often than not required a modem and an AOL account. Computer data storage was performed at the local level, and the idea of cloud-based computing was, if anything, best suited for sci-fi movies.
Of course, thanks to Moore’s law the computing world has drastically changed in the last 17 years. HIPAA, on the other hand, has not. So, when HHS released its long-awaited HIPAA Omnibus Rule at the end of January, the law had quite a bit of catching up to do with the technology that had outpaced it. Being a relatively new phenomenon, cloud computing was one such topic that the Omnibus Rule addressed.
For years, cloud-based healthcare vendors had tried to avail their organizations to the conduit exception to HIPAA. Broadly speaking, the conduit rule exempts entities from complying with HIPAA if they only transmit and do not access PHI (usually on behalf of a Covered Entity). In the buildup to the Omnibus Rule, PHR vendors, data storage companies, and other cloud-based providers lobbied HHS to broaden the scope of the conduit exception. In the rule, HHS relented, however, and narrowed the exception even further. The exception is only to be applied to electronic data transmission services (such as internet service providers) and their physical mail courier equivalents (such as USPS). In the post-Omnibus world, storing data – however brief in time – will almost certainly make you a Business Associate.
So what does this mean for cloud-based healthcare vendors and their customers? Simply put, HHS has definitively labeled these entities as Business Associates, and Covered Entities should be called on notice. If you are a CIO of a large healthcare organization which has outsourced data storage needs to a third party cloud provider, you better make sure you have a BAA in place with your vendor. OCR is actively searching out HIPAA noncompliance during their rapidly expanding audit program, and the nonexistence of a BAA is one of the most frequently cited concerns. Perhaps even more important is the need to monitor these Business Associates for their compliance with the law.
Vendor management should always be a priority for healthcare managers. The recent changes to HIPAA via the curtailing of the conduit exception should prompt managers to reevaluate their provider rosters.
With over two decades of technology entrepreneurship background, Krishna Kurapati started QliqSOFT with the strong desire to solve clinical collaboration and workflow challenges in US Healthcare. During the late 90s, Krishna co-founded IPCell to build the first Cable IP Telephony switch, eventually selling the company to Cisco Systems. In 2003, he started Sipera (acquired by Avaya Systems) to solve security issues for Unified Communications' and raised over $30MM in venture funding. Additionally, he has been actively involved in the early-stage financing of startups in both the US and India.
Engaging Patients and Connecting Care Teams Through Interactive Digital ConversationsLearn More
Symptom checkers can increase patient access by providing guidance and visit qualification checks 24 hours a day. They break down barriers by providing patients with the information they need most during those times when it can be difficult to reach a provider. The tools are also helping prevent misdiagnoses in these situations.
It is critical that underserved populations receive the care they deserve, as the global community continues to wrestle with the pandemic. Here at QliqSOFT, we are aware of the communication gap that too often exists in hospitals and clinics, ultimately keeping individuals from preventative and life-saving care.