Cloud Vendors Shore Up Security as HIPAA Omnibus Deadline Passes

With the Sept. 23 deadline for the HIPAA Omnibus Rule having come and gone, cloud vendors will need to sign business associate agreements or face hefty fines.

The deadline for compliance with the new Health Insurance Portability and Accountability Act (HIPAA) Omnibus rule has passed. As of Sept. 23, IT vendors are required to sign business associate agreements when working with health care providers on cloud services that involve access to patient data.

Although the deadline was uneventful for large IT companies, it could be more challenging to meet for small and midsize IT vendors, according to Tim Sedlack, senior product manager at Dell Software. Larger IT companies are likely already in compliance, but small and midsize companies may not be up to speed on the rules due to a fractured staff and a lack of compliance officers, Sedlack suggested in an email to eWEEK.

As for Dell itself, the company has a designated health care and life sciences compliance officer to make sure the company is in compliance with data security requirements for HIPAA-covered entities, according to Martin Edwards, HIPAA compliance officer for Dell Services Healthcare and Life Sciences. The company also conducts risk assessments of infrastructure that hosts, stores and processes patient health information electronically for covered entities or health care providers, he told eWEEK in an email.

New security and compliance requirements affect storage vendors and cloud service providers, who are classified as business associates and subcontractors, Sedlack noted.

The final Omnibus Rule took effect March 26, but covered entities such as health insurance organizations and business associates like IT companies were required to comply by Sept. 23.

Under the new HIPAA rule, EHR and billing software and backup services will have to sign business associate agreements. Higher monetary fines for data breaches of up to $1.5 million also come with the new HIPAA rule.

According to the old HIPAA regulations, covered entities—consisting of doctors, hospitals and health plans—were bound to the privacy rules. Prior to the update, health care providers would be responsible for making sure third parties such as IT vendors were compliant with security and privacy regulations. Now, the "business associates," or IT vendors, must also comply.

Handling data as encrypted data blocks, rather than as plain text that could expose patient records, helps keep IT companies in compliance, said Ethan Oberman, CEO of SpiderOak, an online backup company.

The company refers to this technique as "zero-knowledge," in which data on the server is never available in plain text. "If the 'business associate' can't actually look at the plain text data, it means by default [it's] being compliant with regulations of HIPAA because [the company is] not looking at plain text data records ever," Oberman told eWEEK. "We don't even know what we're storing—music, cancer records, files from high school?"

Because of its strategy of storing customers' "encrypted data blocks," SpiderOak did not need to make adjustments to comply with the HIPAA Omnibus Rule, according to Oberman. "We've been in compliance because of our approach to storage," he explained. "We like to say we're HIPAA-compliant. You have to follow certain guidelines when you're handling patient records. We are not handling patient records; we are handling encrypted data blocks."

Oberman added, "If you don't know what you're storing, then the compliance becomes a lot easier."

The HIPAA Omnibus Rule brings added responsibility to health care cloud providers because they will need to report data breaches to the government directly rather than the provider reporting them.

"The cloud providers that are now subject to the rules have responsibilities relating to the way they transmit and store protected information," said Deena Coffman, CEO of IDT911 Consulting, which provides data-risk assessment and protection programs. "And their legal departments are likely working overtime to put the formal agreements into place with their clients who are covered entities and with any service providers they may use that store and maintain the protected data," Coffman said.

With the HIPAA Omnibus rule going into effect, vendors and health care providers will need to maintain data privacy at "every source of contact and level of compliancy," including mobile devices, said Ron Rock, CEO of cloud middleware provider Point.io.

"The heightened accessibility to critical information, enabled by the introduction of cloud and mobile app technologies, has contributed to improved patient care, a key goal of HIPAA standards," Rock told eWEEK in an email.