By now most of healthcare entities are well aware of the HIPAA Omnibus Final Rule which is changing the game for HIPAA compliance. The Final Rule expands the definition of a “business associate” and now anyone who creates, receives, maintains or stores PHI on behalf of a covered entity is subject to the HIPAA Security Rule. On a basic level, the new rules better protect patient privacy while strengthening security behind health information. Now third-party vendors must be willing to sign a BAA (Business Associate Agreement) to do business in this space. Many had been hesitant due to liability issues associated with signing a BAA that makes a hosting or cloud provider legally and financially responsible should a breach occur on their watch.
For the patient, this is good news, for the industry as a whole, the expansion is excellent news, and for healthcare organizations, who are covered entities, this presents a great opportunity!
And here’s why.
Healthcare organizations (most often) do what they do best, which is delivering care to patients. With the HIPAA Omnibus Final Rule, healthcare organizations have an opportunity to stop and think about their businesses. They should take a moment to re-examine their workflow processes, evaluate what they do, and validate what makes business sense and what doesn’t. This is a good time for them to take a moment and evaluate their vendors and their partners and to make a strategic decision that will impact their business (not only from a profit/loss perspective) but also from being able to focus their resources and efforts on parts of their businesses that matter the most.
One key decision all healthcare organizations should be considering is a move of their IT systems and data to the cloud. Now that the HIPAA Omnibus Final Rule has clearly defined the roles of cloud providers in terms of safeguarding health data, healthcare organizations have more feasible options for moving their operations to outside providers who specialize in IT infrastructure as a service. This could be for a multitude of reasons (a growing demand of self-service, broad network access, resource pooling, rapid elasticity and measured service, etc.).
However, even with the clock ticking and the Omnibus Final Rule taking effect September 23, 2013 many healthcare entities are cautious (even resistant) to moving their operations to outside providers. There is still concern that their PHI will be more (not less) vulnerable of being compromised if they outsource certain elements of their IT systems to cloud vendors.
However, this is not necessarily true for all cloud vendors. In fact, many cloud provider’s business models are built on the premise that their cloud offerings have to be secure and protected because, not only does the provider have to support security for data safeguarding for its healthcare clients, it has to do so for all its customers.
It is an integral part of its business and without security as its core competency; the service provider is not likely to remain in business. In many cases, healthcare organizations that outsource to a cloud provider can actually improve the security controls for their organization. So thanks to the HIPAA Omnibus Final Rule, healthcare businesses now have a reason to stop and think about what their next steps should be as they build for the future.
Learn more about healthcare-enabled cloud solutions by Verizon Terremark.