The Health Insurance Portability and Accountability Act (HIPAA) Final Rule is going into effect in two weeks on Mar. 26, 2013. Health care entities and associated businesses will have six months (until Sept. 23) to fall in line with updated rules or face new penalties of up to $1.5 million per violation.
While the new HIPAA changes may not be dramatic, they are significant. They bring all associated businesses under HIPAA regulation, strengthen privacy protections already in place under the Health Information Technology for Economic and Clinical Health (HITECH) and Genetic Information Nondiscrimination Act (GINA) laws, and give the enforcing agency (the Office of Civil Rights) more teeth to expedite audits and fines.
If you're a health care entity or business associate who uses Skype, Google, Cisco/WebEx or plan to use cloud services, here are some ways the new rules may affect you.
Make sure the tools you use are not the weakest link
The updated HIPAA Rule now makes all businesses directly responsible for handling protected health information (PHI). This means all associated businesses, sub-contractors, and anyone else down the line – whether or not they are directly contracted by a health entity. For example, if a business associate uses Google Apps to maintain health information, then Google would also be liable by default and would need to sign a business associate agreement (BAA). (On a side note, Google is highly unlikely to enter such an agreement since Google's business model is driven by collecting individualized data to sell advertising. See their recent privacy fines.)
The only exempt cases are businesses that only act as a temporary channel for transmitting PHI. Even though they may have random access to such records, they do not maintain them. This includes services such as the U.S. Postal Service, Internet Service Providers, mobile network operators, some Voice-over-IP and video-conferencing services that don't store recorded sessions.
Cloud computing tradeoff: simplicity vs. security
The bigger problem, as suggested in a Health Informatics interview with Mac McMillan, chair of the Privacy and Security Policy Task Force of the Healthcare Information and Management Systems Society, is that many health care entities don't know, "where your data is created, where it's stored, where it's going in terms of where it's being sent, etc.," and they don't really know how their management and communication tools work, so how can they even begin to assess their security risks? Furthermore, as hospitals move data out into the cloud to take advantage of flexibility and cost savings, they will have even less control over security.
What about video conferencing?
Even services that seem to be exempt under the new HIPAA definitions of business associate may have big security risks. For instance, many popular consumer video chat systems such as Skype or enterprise applications like Cisco/WebEx may be sending your video into the cloud where they have the ability to record your conversations on their servers. Recording could easily be triggered — whether intentionally, accidentally, or maliciously — making it a security risk ready to explode. As Scott MacLean, deputy CIO of Partners HealthCare in Boston cautions if there is a breach of data that is hosted on the cloud, the hospital's reputation will take the hit. Thus it is important for healthcare entities to be aware of how a vendor's technology operates especially when they are not designed for telehealth solutions. To be safe, we recommend only using systems that are FDA-registered.
So does using Skype, Google, or WebEx get you a $1.5M fine? Are video conference tools exempt from HIPAA or do they have features and capabilities that make them more than just a video conference vehicle? The answer isn't so clear cut. If you have doubts, use FDA-registered software and hardware and make sure your vendors are willing to sign a BAA.
For a more detailed look at business associate changes, here is an excellent article summarizing the changes and highlighting the to-do points.
The views expressed are those of the author and do not necessarily reflect the views of the publisher.