Bloomberg BNA's Health IT Law & Industry Report brings you concise, comprehensive, and timely news and analysis of the regulatory, legal, and compliance issues surrounding our nation’s...
While cloud computing services offer affordable technology and data management solutions for health care providers—particularly small providers—attorneys are advising hospitals and physicians to be aware of the privacy and security risks to protected health information that also come with cloud computing.
Attorney Joseph I. Rosenbaum, with Reed Smith in New York, told BNA that he advises health care providers who are considering the benefits of cloud computing for their practices to also consider the privacy and security concerns related to cloud computing services and to address those concerns in contract negotiations with cloud services providers.
Of particular concern, Rosenbaum cautioned, are health care providers' and, possibly, cloud services providers' obligations under the Health Insurance Portability and Accountability Act.
Health care providers have obligations as HIPAA-covered entities to comply with HIPAA Privacy and Security rules, and cloud services providers may also have similar compliance obligations as business associates under new requirements (yet to be finalized in rulemaking) that were mandated in the Health Information Technology for Economic and Clinical Health (HITECH) Act.
However, Rosenbaum said, health care entities contracting for technology services, such as cloud computing services, may not pay attention as much as they should to the obligations of their contractors under HIPAA, and cloud service providers may not know they have HIPAA compliance obligations.
Cloud services providers that ultimately meet the definition of business associates under HIPAA requirements could argue they did not know about their obligations under the statute and had no reason to know. But, Rosenbaum said, at some point in a highly regulated environment such as health care, cloud services providers contracting with health care entities likely would be expected to ask about their obligations.
Rosenbaum said that a chapter on cloud computing in health care that appears in a recent white paper—Transcending the Cloud: A Legal Guide to the Risks and Rewards of Cloud Computing—that he authored with Reed Smith attorney Vicky G. Gormanly was written to raise some of the questions health care providers and technology services providers should be considering in transactions with one another.
For example, he said, questions health care providers seeking technology services should consider include whether they have an obligation to explain to cloud services providers their HIPAA compliance obligations, or do cloud services providers have an obligation to ask about the businesses of their clients and seek on their own to understand compliance requirements that might affect their contracts.
Health care providers also should consider the business associate obligations their cloud services providers might have under HIPAA, even though it is not clear under what circumstances cloud services providers would be considered a business associate, Rosenbaum and Gormanly wrote in the white paper.
“Generally, a business associate is a person or organization, other than a member of a covered entity's workforce, that performs certain functions or activities on behalf of, or provides services to, a covered entity that involves the use or disclosure of individually identifiable health information,” the attorneys wrote in the paper.
Rosenbaum noted that the Department of Health and Human Services Office for Civil Rights in a proposed HIPAA rule covering business associate obligations expressly said that entities that facilitate the transmission of data were considered to be business associates. He said that by that definition many cloud services providers could likely be considered business associates and be required to comply with HIPAA rules. That also would mean covered entities might consider whether they should enter into business associate agreements with cloud services providers that cover HIPAA obligations.
Regarding contracting, Rosenbaum said in many cases there is concern about liability and risk management on the part of cloud services providers and that the starting point for those companies in contract negotiations with health care providers is that it is the responsibility primarily of health care entities to comply with the federal rules governing the health care industry.
However, he said successful contracts between health care providers and cloud services companies strike the right balance to ensure both parties take the right steps to comply with federal rules and to protect the privacy and security of health care data.
By Kendra Casey Plank
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)