Federal regulators may have helped data services companies, andmade life harder for health insurers, health insurance brokers andother users of personal health information, in a new batch ofadvice aimed at cloud services providers and users.

|

Officials at the Office for Civil Rights at the U.S. Departmentof Health and Human Services prepared the advice, or "guidance," toexplain how federal health information privacy and data securityrules apply to cloud services.

|

The Health Insurance Portability and Accountability Act of 1996and later, related laws and regulations have set strict federalrules for protecting health information.

|

Officials plan to start calling agents, brokers and otherassociates of covered entities in September.

|

The HHS Office for Civil Rights classifies health insurers,along with hospitals, doctors and health care providers, as"covered entities," or organizations that are directly covered bythe HIPAA health information rules.

|

The office classifies health insurance agents and brokers whohandle protected health information as "businessassociates" of the covered entities, and it subjects businessassociates to similar rules and audit programs.

|

About a year ago, the office looked at the data services vendorsthat help business associates handle protected health information.The office decided that the data services subcontractors of thecovered entities' business associates are, actually, businessassociates of the business associates.

|

If, for example, a health insurance agent who is a HIPAAbusiness associate uses a data storage company to store customerhealth data, the agent needs to get the data storage company tosign a business associate agreement.

|

In the new batch of guidance, the Office for Civil Rights officialstalk about what all of that means for cloud services providers, orcompanies that provide information services via computers andnetworks located somewhere out on the Internet.

|

For a look at some of what's in the guidance, read on:

|

|

The data services customers have to assess the cloud services provider's data security efforts, officials say. (Image: Thinkstock)

|

The data services customers have to assess the cloudservices provider's data security efforts, officials say. (Image:Thinkstock)

|

Have you looked at your cloud services provider's computerslately?

Both HIPAA covered entities and HIPAA business associates canuse cloud services providers, or CSPs, officials say in the newguidance.

|

HIPAA does not require the cloud services providers to lethealth data clients audit them, officials say.

|

Instead, the health data clients have to analyze how well acloud services provider handles concerns such as systemreliability, data security, and data backup and recovery services,officials say.

|

A HIPAA-compliant cloud services provider can, for example,store the commercial customers' protected health information dataoutside the United States, officials say.

|

The health data services customers can ask the cloud servicesproviders for documentation of security safeguards or audits, ifthe customers think that's necessary for risk analysis andmanagement, officials say.

|

But the hospitals, insurers and brokers are the parties thathave to think about where the cloud services providers' servers arelocated, how likely hackers are to attack the overseas servers, andhow effective the cloud services providers' defenses are.

|

If a covered entity or business associate stores protectedhealth information on a cloud-based service without getting abusiness associate agreement from the provider, that could lead toHIPAA violation fines, officials say.

|

The cloud services provider itself must comply with the HIPAAbusiness associate rules within 30 days after the point at which itknows, or should know, that it's handling protected healthinformation, officials say.

|

If a cloud services provider learns that it's handling protectedhealth information, it must comply with the HIPAA rules, return theinformation to the customer, or, if the customer prefers, destroythe protected health information, officials say.

|

"We recommend CSPs document these actions," officials say.

Complete your profile to continue reading and get FREE access to BenefitsPRO, part of your ALM digital membership.

  • Critical BenefitsPRO information including cutting edge post-reform success strategies, access to educational webcasts and videos, resources from industry leaders, and informative Newsletters.
  • Exclusive discounts on ALM, BenefitsPRO magazine and BenefitsPRO.com events
  • Access to other award-winning ALM websites including ThinkAdvisor.com and Law.com
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Allison Bell

Allison Bell, ThinkAdvisor's insurance editor, previously was LifeHealthPro's health insurance editor. She has a bachelor's degree in economics from Washington University in St. Louis and a master's degree in journalism from the Medill School of Journalism at Northwestern University. She can be reached at [email protected] or on Twitter at @Think_Allison.