When Congress passed HIPAA back in 1996, the Internet was in its infancy. What we now know today as Google was a mere graduate program research project. “Going online” more often than not required a modem and an AOL account. Computer data storage was performed at the local level, and the idea of cloud-based computing was, if anything, best suited for sci-fi movies.
Of course, thanks to Moore’s law the computing world has drastically changed in the last 17 years. HIPAA, on the other hand, has not. So, when HHS released its long-awaited HIPAA Omnibus Rule at the end of January, the law had quite a bit of catching up to do with the technology that had outpaced it. Being a relatively new phenomenon, cloud computing was one such topic that the Omnibus Rule addressed.
For years, cloud-based healthcare vendors had tried to avail their organizations to the conduit exception to HIPAA. Broadly speaking, the conduit rule exempts entities from complying with HIPAA if they only transmit and do not access PHI (usually on behalf of a Covered Entity). In the buildup to the Omnibus Rule, PHR vendors, data storage companies, and other cloud-based providers lobbied HHS to broaden the scope of the conduit exception. In the rule, HHS relented, however, and narrowed the exception even further. The exception is only to be applied to electronic data transmission services (such as internet service providers) and their physical mail courier equivalents (such as USPS). In the post-Omnibus world, storing data – however brief in time – will almost certainly make you a Business Associate.
So what does this mean for cloud-based healthcare vendors and their customers? Simply put, HHS has definitively labeled these entities as Business Associates, and Covered Entities should be called on notice. If you are a CIO of a large healthcare organization which has outsourced data storage needs to a third party cloud provider, you better make sure you have a BAA in place with your vendor. OCR is actively searching out HIPAA noncompliance during their rapidly expanding audit program, and the nonexistence of a BAA is one of the most frequently cited concerns. Perhaps even more important is the need to monitor these Business Associates for their compliance with the law.
Vendor management should always be a priority for healthcare managers. The recent changes to HIPAA via the curtailing of the conduit exception should prompt managers to reevaluate their provider rosters.