As third-parties are increasingly being relied upon to host and manage sensitive health data, the HIPAA Omnibus Final Rule and its Sept. 23 deadline is ensuring that those with access to Protected Health Information specify their security obligations and be held accountable for failing to adequately protect customer data.
Under the new stipulations, IT providers who store, process, maintain, transmit or otherwise touch a healthcare provider’s PHI must work out a Business Associate Agreement with their customer, making it precisely clear where they’re subject to HIPAA security and privacy rules.
The Business Associate Agreement provides legal protection for both healthcare providers and service providers, which should ultimately provide patients with assurance that their data is secure. But this provision also opens up possibilities for more advanced and cost-effective services that can be provided by third-party solutions such as cloud storage and cloud computing.
“The need for flexibility in terms of access to the resources, the need to be able to share and collaborate, and analyse and manage the data suggest [healthcare] is a good environment for cloud solutions,” Lee Bendekgey, general counsel at cloud-based DNA data management and analysis solutions provider DNAnexus says.
One of the founding ideas behind DNAnexus was that individuals and organizations would need to have access to the vast data provided by genomic data, and that this and other data must only be accessible to those with the proper clearance. The assurance of security, Bendekgey says, will help patients trust the application of technologies that will no doubt have an enormous effect on healthcare.
Securely Providing Information to Those Who Need It
Data has always, in one way or another, been central to healthcare. This sharing of information, for instance, has some predicting a major shift in medicine from a pathology-based approach (focused on disease progression within a specific organ) to a biochemical-and genomics-based approach already being applied to cancer treatment.
But it’s crucial that institutions be able to provide patients the assurance that they have knowledge of and control over how, when and where their information is used.
The cloud approach makes this controlled and secure PHI sharing within reach.
According to Bendekgey, the cloud model allows for better permissions management when it comes to physicians, patients and other bodies. “They need to see the information – but it needs to be secure,” he says. “That’s much easier to do in a cloud environment where you can use permissions and give them links that only allow them to see what you want them to see.”
For instance, in a pharmaceutical research setting, data can be shared with the FDA and all access and changes would be logged and reported. “A cloud setting can give very specific permissions of who can put data in, who can look at the data, where you have logging that shows everyone who looked at the data and what they did and confirm that nobody did anything inappropriate to the data.”
A Shared Risk
In an interview with the WHIR earlier this year, Online Tech director of healthcare vertical for CPHIMS April Sage characterized the HIPAA Omnibus Privacy Rule as a measure that clarifies the responsibility to protect health information throughout the entire “chain-of-trust.”
According to Datapipe CSO Joel Friedman, there was always a shared risk and responsibility between a healthcare provider and a company that handles its data – even if it hadn’t been specifically laid out in a Business Associate Agreement. The Business Associate Agreement helps more clearly delineate the responsibilities of both parties.
“In my opinion it’s actually less risk to sign [a BAA],” Friedman says. “If you were providing services to a covered entity prior to the clarification [of the Omnibus Final Rule], meaning according to the law you are considered of a Business Associate, and there is no Business Associate Agreement in place then there are risks for both parties. First, the covered entity is not in compliance with the law because it’s their obligation to get an agreement in place. And second, then there’s no assignment of responsibility – it’s left wide open. So if there is any type of breach, assignment of fault is up in the air.”
Datapipe provides a HIPAA Compliance package with the network infrastructure, physical security, and the technical controls needed to safeguard client data.
In terms of specific risks, however, the fault lines are drawn up in a Business Associate Agreement according to the organization. Friedman says, “There is a model of shared risk, and that’s the job of the Business Associate Agreement: to delineate who is fulfilling each of the required regulations. Not necessarily how, but the responsibilities and where they lie.”
For instance, the Business Associate Agreement would probably not hold an IT service provider responsible for a data breach caused by a physician sharing his or her password. But it does provide clarity where assigning responsibility and blame is more complicated.
As more healthcare institutions use data in new and novel ways, it will fall to many outside service providers to hold up their end of the bargain, and ensure that greater capabilities don’t come at the cost of security.