While a privacy advocate is demanding federal guidance on how to protect health information in the cloud, one federal official says the soon-to-be-modified HIPAA privacy and security rules will apply to all business associates, including cloud vendors, helping to ensure patient data is safeguarded.
Joy Pritts, chief privacy officer in the Office of the National Coordinator for Health IT, a unit of the Department of Health and Human Services, made her comments about HIPAA during a Jan. 7 panel discussion on cloud computing hosted by Patient Privacy Rights, an advocacy group.
The movement of health information to the cloud is inevitable, Pritts acknowledged. That's particularly true for smaller healthcare organizations that are turning to cloud providers to host electronic health records to help reduce start-up costs.
The shift to cloud computing "reminds me of the mobile area, where technology and practices are ahead of policy," Pritts said. The HIPAA modifications, however, will help ensure that cloud vendors take adequate steps to protect patient data, she added, stopping short of saying whether federal regulators are likely to eventually issue any cloud-specific guidance.
Deborah Peel, M.D., founder of Patient Privacy Rights, last month sent a letter to the Department of Health and Human Services' Office for Civil Rights urging HHS to issue guidance to healthcare providers about data security and privacy in the cloud (see: Cloud Computing: Security a Hurdle).
"The letter ... asks that [HHS] look at the key problems in cloud ... and what practitioners should know and understand about security and privacy of health data in the cloud," Peel said during the panel.
Shift to the Cloud
The pending HIPAA modifications clarify that all business associates with access to patient data must comply with the privacy and security rules, Pritts pointed out. "That brings cloud services under direct regulations of HIPAA," she said. For example, all business associates will be required to use encryption to protect data or document the use of a reasonable alternative method.
The HIPAA rules changes will be included in a long-overdue omnibus package of regulations. Pritts declined to comment on when the package will be published. But in a December interview with HealthcareInfoSecurity, Leon Rodriguez, director of the HHS Office for Civil Rights, which enforces HIPAA, said, "We're hopeful that we'll be in a position to issue it soon." (See: HIPAA Enforcer Reveals Audit Timeline).
In a statement provided to HealthcareInfoSecurity on Jan. 4 in response to an inquiry about whether HHS will consider developing cloud computing guidance, an OCR spokeswoman said there is already "quite a wealth of guidance materials on this topic that has been developed by the National Institute for Standards and Technology, the Government Accounting Office and others. The HIPAA Security Rule requirements are technology neutral. Cloud computing is but one pathway among many for storing and transacting electronic protected health information."
Other Emerging Areas
ONC takes a lead role in administering the HITECH Act electronic health record incentive program. So ONC could potentially spell out some cloud computing-related privacy and security requirements for those using remotely hosted EHRs. ONC has stressed, however, the need to refrain from issuing premature guidance about the use of emerging technologies.
For instance, ONC dropped plans to issue a regulation spelling out voluntary guidelines for the national exchange of health information. Instead, it plans to release incremental guidance based on best practices (see: HIE Guidance Coming in Phases).
In recent months, ONC has issued tips to healthcare providers about security and privacy of patient data on mobile devices. That's because the lost or theft of unencrypted mobile devices have been the cause of many health data breaches, Pritts says.