By Dan Munro
First Posted at Forbes on 5/1/2013
Earlier this year, the Department of Health and Human Services issued their “Final Rule” to modify HIPAA – the 1996 legislation that’s the beating heart of healthcare security, privacy and data portability. The lack of data portability continues to plague the industry – but the security and privacy are getting more serious with each iteration. The fun reading (courtesy of the Federal Register) is online here. One fast fact from a quick search of the document finds no less than 1,358 occurrences of the phrase “Business Associate.”
HHS estimates that the cost of compliance with the final rule will be somewhere between $114 and $225 million (first year) and about $14 million for each year thereafter. For those who track this sort of thing, that means the rule qualifies as an “economically significant” one under Executive Order 12866. The reason for this new level of security is pretty fundamental. Healthcare has had some serious deficiencies through the years and it’s a prime target for identity theft. Not so much for the actual healthcare information but for financial fraud – which is a companion problem in healthcare (to the tune of about $70B a year in Medicare fraud alone). Here are the 2 charts that HHS presented at this year”s HIMSS to highlight breaches of 500 or more patients.
Safe to say all of this has some serious legal implications – and teeth. Most law firms were quick to advise legal revisions to both the Business Associate Agreement (BAA) and the CMS Data Use Agreement (for use primarily by Medicare ACO’s).
The term Business Associate (and it’s binding Agreement) is a legal one (from the HHS website here). The intent is to extend HIPAA’s legal liability beyond just Covered Entities (another legal term) which is typically the originating source of our Personal Health Information (PHI). Business Associates aren’t required to sign an Agreement – but HIPAA and the Final Rule clarifies the legal and financial liabilities in every direction for failure to do so. As it relates to Cloud Service Providers, Health and Human Services (through their enforcement arm – the Office for Civil Rights) is making the importance of the Business Associate Agreement crystal clear:
“If you use a cloud service, it should be your Business Associate. If they refuse to sign a Business Associate Agreement, don’t use the cloud service.”
David Holtzman, Information Privacy Division, Office for Civil Rights
So why does all this matter – and who cares? We all have a stake in this one – here’s why. The cloud is where all of us as consumers (at scale) are spending more and more of our time – daily. Everything from trading stocks, banking online, email, social media, purchases through Amazon and streaming movies from Netflix - all cloud-based consumer services.
Consumer healthcare services are also moving online with an increasing sense of urgency. Ultimately, the great hope for any kind of real healthcare data interoperability could well be the cloud where it’s the most efficient (both electronically and financially) to aggregate, store, manage and then access data - of any kind (including personal health) at scale.
Which brings us full circle to the cloud service providers that contract directly with healthcare entities. Last week Box (a cloud storage solution with almost $300M in funding) announced their support for executing BAA’s on behalf of healthcare entities. Microsoft also updated theirs to reflect the new HIPAA revisions and Verizon announced their support for BAA’s last year. Rounding out some of the larger vendors, Dell offers a BAA for their Private Cloud service as well. Hats off to Scott Lundstrom (Group VP at IDC Health Insights) who predicted this BAA “tipping point” last December (here).
There are also some very committed and relatively new cloud vendors that are 100% laser focused on highly regulated verticals – like healthcare. Phoenix based ClearDATA is one example – and another one that I spoke with is Ann Arbor based Online Tech. I asked Mike Klein (Co-CEO) for his thoughts on the BAA.
“The BAA acknowledges the hosting provider’s legal responsibilities and liabilities to the covered entity, but HIPAA-compliant cloud computing is so much more than just signing a BAA. It’s about an entire culture of compliance that’s verified by an independent audit based on HIPAA’s Audit Protocol and includes a Report on Compliance – every year.” Mike Klein [Co-CEO - Online Tech, Inc.]
When it comes to Cloud vendors - the 800lb gorilla, of course, is Amazon Web Services. According to analyst firm Forrester, AWS has about 71% of the entire cloud market. Curiously absent from the BAA parade, a direct question about BAA’s appeared on Amazon’s AWS Forum earlier this year – along with a decidedly vague reply 3 weeks later.
February 6 inquiry posted to AWS Forum:
Amazon has previously taken the position that it is not required to sign BAA’s with companies that run HIPAA applications and/or permanently store PHI on AWS. The new HIPAA Omnibus rules appear to specifically call for cloud vendors to sign BAA’s with such companies. Has Amazon reconsidered its position on the Omnibus rules with regard to signing BAA’s?
February 27 AWS response:
AWS is aware of the new HIPAA omnibus rule published on January 17, 2013. We are in the process of considering the impact of that new rule to AWS.
Which also raises questions about Apple’s iCloud. To this point – iCloud has been predominantly (if not exclusively) focused on all of us as consumers. As consumers – we’re all free to do anything we like with our own PHI, of course, no BAA required. That’s not necessarily the case for clinical iOS devices that use iCloud for any type of PHI data storage. I’m not aware of any iOS-based clinical devices that do – but this could well be the point at which Apple has to start making some legally binding commitments to our $3 trillion healthcare industry.