HIPAA Changes Driving Customers To Cloud, Verizon Says

HIPAA update clarifies that service providers share accountability in protecting patient data, encouraging more healthcare providers to consider the cloud.
7 Big Data Solutions Try To Reshape Healthcare
7 Big Data Solutions Try To Reshape Healthcare
(click image for larger view and for slideshow)
Verizon reports that healthcare organizations are showing increased interest in its enterprise cloud services, following the latest round of changes to HIPAA patient data privacy rules.

In January, the U.S. Department of Health & Human Services announced a series of updates to the regulations it administers under the Health Insurance Portability and Accountability Act of 1996. While the package of HIPAA changes known as the "final omnibus rule" prompted industry concern about bureaucratic burdens, it also clarified the legal framework for healthcare organizations to work with cloud services and other external data services providers. By signing a contract designating itself as a "business associate" of a healthcare organization, a cloud service provider takes responsibility for protecting patient data under the law.

As a September 23 compliance deadline looms, requiring providers to have those agreements in place, Verizon says it is seeing a surge in inquiries from healthcare organizations interested in using its enterprise cloud services.

"We couldn't really have those conversations before the omnibus rule came out," said Chris Davis, a solutions architect with Verizon who specializes in compliance issues. "Now everybody's on the same page. We're forced to talk the same language, with the same requirements, with the same purpose."

A moment later, he backtracked to say that maybe not everybody was on the same page. There is still some room for debate over the meaning of the regulations -- for example, if patient health information is encrypted prior to storage and the cloud service provider doesn't have the key, it's possible (under some interpretations of the rule) that a business associate agreement is not absolutely required. However, Verizon's position is that it will sign the paperwork anyway, he said.

[ For more on what's driving healthcare's move to the cloud, read Medical Practices Move Health IT To Cloud.]

"Going back to May of last year, when we were anticipating they might expand the definition of what a business associate was, we did all of what the rule requires before the rule was ever released or officially communicated," Davis said.

Prior to the rule change, if a cloud service managing patient data was breached, the healthcare organization that outsourced the data management would be penalized by the government, but the service provider wouldn't be. Under the new rules, the service provider is also subject to penalties. That doesn't mean the healthcare organization is off the hook -- it is still responsible for oversight -- but the service provider also takes a share of the responsibility for meeting the requirements of the law. "It's not a transfer of risk, but it's an expansion of responsibility," Davis explained.

Verizon already had some healthcare organizations entrusting it with patient health data, but since the rule change, Davis said, "We've seen a significant uptick in the number of conversations we're having [about taking on that role]." He wouldn't give numbers for how many of those conversations are turning into contracts, however, and conceded that not all of them will.

Healthcare IT leaders still cite proper management of cloud services as one of their top worries, partly because of the difficulty of getting vendors to sign business associate agreements. Verizon markets what it calls "enterprise cloud services," distinguished by tighter contractual and regulatory controls than public cloud services like Amazon Web Services. Verizon offers infrastructure cloud services such as storage and processing, as opposed to software-as-a-service applications.

Verizon just released a State of the Enterprise Cloud report, drawing on data from its Terremark data center business collected between January 2012 and June 2013. During that time, cloud-based storage has increased by 90% and cloud-based memory usage is up 100%, driven largely by the shift of business-critical applications to the cloud, according to Verizon.

The report is not industry-specific but does point to healthcare as an exciting area of growth. "Healthcare providers are taking advantage of the increased reach and scalability of cloud computing to deliver new services -- such as teleradiology and real-time remote diagnosis -- quickly and cost-effectively," the report reads. When data is in the cloud many parties at many locations can gain access to it, subject to proper authorization, Davis added, and that lends itself to telemedicine and other distributed healthcare applications.

Follow David F. Carr on Twitter @davidfcarr or Google+. His book Social Collaboration For Dummies is scheduled for release in October 2013.

Editor's Choice
James M. Connolly, Contributing Editor and Writer
Carrie Pallardy, Contributing Reporter
Roger Burkhardt, Capital Markets Chief Technology Officer, Broadridge Financial Solutions
Shane Snider, Senior Writer, InformationWeek
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
John Edwards, Technology Journalist & Author