The following is a guest post by Phil Cox, Director of Security and Compliance for RightScale
With the January 2013 release of the Omnibus Rule, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is complete. The rule builds on top of the Health Information Technology for Economic and Clinical Health (HITECH) Act that followed HIPAA in 2009 to provide the enforcement provisions that gave HIPAA teeth. The Omnibus Rule comes at a time when many organizations in the healthcare industry are turning to public and private cloud adoption to meet their business needs, taking advantage of the cloud’s cost advantages and its ability to unleash greater agility and innovation in healthcare IT. If your organization is considering the cloud, your due diligence should extend not only to the relevant provisions of the Omnibus Rule, but also to the practices you and your business associates must implement to meet its requirements.
Your organization must be in compliance with the Omnibus Rule by September 23, 2013. As you consider how its provisions apply to your cloud computing projects, you need to pay particular attention to three of the Administrative Simplification Rules in Title II: the Privacy Rule, the Security Rule, and the Breach Notification Rule.
The Privacy Rule regulates the use and disclosure of information held by “covered entities” (generally, health care clearinghouses, employer-sponsored health plans, health insurers, and medical service providers). It establishes regulations designed to prevent unauthorized use and disclosure of Protected Health Information (PHI), which is any information held by a covered entity that concerns health status, provision of healthcare, or payment for healthcare that can be linked to an individual.
The Security Rule complements the Privacy Rule. While the Privacy Rule pertains to all PHI, including paper and electronic, the Security Rule [Read more…]