HIPAA Changes Driving Customers To Cloud, Verizon Says - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Healthcare // Electronic Health Records
01:26 PM
Connect Directly

HIPAA Changes Driving Customers To Cloud, Verizon Says

HIPAA update clarifies that service providers share accountability in protecting patient data, encouraging more healthcare providers to consider the cloud.

7 Big Data Solutions Try To Reshape Healthcare
7 Big Data Solutions Try To Reshape Healthcare
(click image for larger view and for slideshow)
Verizon reports that healthcare organizations are showing increased interest in its enterprise cloud services, following the latest round of changes to HIPAA patient data privacy rules.

In January, the U.S. Department of Health & Human Services announced a series of updates to the regulations it administers under the Health Insurance Portability and Accountability Act of 1996. While the package of HIPAA changes known as the "final omnibus rule" prompted industry concern about bureaucratic burdens, it also clarified the legal framework for healthcare organizations to work with cloud services and other external data services providers. By signing a contract designating itself as a "business associate" of a healthcare organization, a cloud service provider takes responsibility for protecting patient data under the law.

As a September 23 compliance deadline looms, requiring providers to have those agreements in place, Verizon says it is seeing a surge in inquiries from healthcare organizations interested in using its enterprise cloud services.

"We couldn't really have those conversations before the omnibus rule came out," said Chris Davis, a solutions architect with Verizon who specializes in compliance issues. "Now everybody's on the same page. We're forced to talk the same language, with the same requirements, with the same purpose."

A moment later, he backtracked to say that maybe not everybody was on the same page. There is still some room for debate over the meaning of the regulations -- for example, if patient health information is encrypted prior to storage and the cloud service provider doesn't have the key, it's possible (under some interpretations of the rule) that a business associate agreement is not absolutely required. However, Verizon's position is that it will sign the paperwork anyway, he said.

[ For more on what's driving healthcare's move to the cloud, read Medical Practices Move Health IT To Cloud.]

"Going back to May of last year, when we were anticipating they might expand the definition of what a business associate was, we did all of what the rule requires before the rule was ever released or officially communicated," Davis said.

Prior to the rule change, if a cloud service managing patient data was breached, the healthcare organization that outsourced the data management would be penalized by the government, but the service provider wouldn't be. Under the new rules, the service provider is also subject to penalties. That doesn't mean the healthcare organization is off the hook -- it is still responsible for oversight -- but the service provider also takes a share of the responsibility for meeting the requirements of the law. "It's not a transfer of risk, but it's an expansion of responsibility," Davis explained.

Verizon already had some healthcare organizations entrusting it with patient health data, but since the rule change, Davis said, "We've seen a significant uptick in the number of conversations we're having [about taking on that role]." He wouldn't give numbers for how many of those conversations are turning into contracts, however, and conceded that not all of them will.

Healthcare IT leaders still cite proper management of cloud services as one of their top worries, partly because of the difficulty of getting vendors to sign business associate agreements. Verizon markets what it calls "enterprise cloud services," distinguished by tighter contractual and regulatory controls than public cloud services like Amazon Web Services. Verizon offers infrastructure cloud services such as storage and processing, as opposed to software-as-a-service applications.

Verizon just released a State of the Enterprise Cloud report, drawing on data from its Terremark data center business collected between January 2012 and June 2013. During that time, cloud-based storage has increased by 90% and cloud-based memory usage is up 100%, driven largely by the shift of business-critical applications to the cloud, according to Verizon.

The report is not industry-specific but does point to healthcare as an exciting area of growth. "Healthcare providers are taking advantage of the increased reach and scalability of cloud computing to deliver new services -- such as teleradiology and real-time remote diagnosis -- quickly and cost-effectively," the report reads. When data is in the cloud many parties at many locations can gain access to it, subject to proper authorization, Davis added, and that lends itself to telemedicine and other distributed healthcare applications.

Follow David F. Carr on Twitter @davidfcarr or Google+. His book Social Collaboration For Dummies is scheduled for release in October 2013.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
9/18/2013 | 7:10:03 PM
re: HIPAA Changes Driving Customers To Cloud, Verizon Says
A need that many CIOs, especially of smaller organizations, will have to address is getting Business Associate Agreements in place with web hosting and cloud hosting providers for data storage of Protected Health Information (PHI). The HIPAA Omnibus goes into effect September 23, 2013 and many organizations are unaware that Gǣdata storageGǥ is explicitly addressed in the OmnibusG preamble: GǣFor example, a data storage company that has access to protected health information (whether digital or hard copy) qualifies as a business associate, even if the entity does not view the information or only does so on a random or infrequent basis.Gǥ
User Rank: Apprentice
9/17/2013 | 7:31:17 PM
re: HIPAA Changes Driving Customers To Cloud, Verizon Says
With the growing popularity surrounding cloud storage, and the relatively low costs associated with it, this new regulation is of course going to raise interests even more. It absolves some of the blame and concern surrounding the security of patient health data for the organizations and should help out smaller organizations even more. I am actually surprised that cloud storage companies such as Verizon are taking this so well, since a few months ago when this was announced, I expected more of a backlash. I guess if they do speak out too much it shows a lack of confidence in the security of their product.

Jay Simmons
Information Week Contributor
Top 10 Data and Analytics Trends for 2021
Jessica Davis, Senior Editor, Enterprise Apps,  11/13/2020
Where Cloud Spending Might Grow in 2021 and Post-Pandemic
Joao-Pierre S. Ruth, Senior Writer,  11/19/2020
The Ever-Expanding List of C-Level Technology Positions
Cynthia Harvey, Freelance Journalist, InformationWeek,  11/10/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
Why Chatbots Are So Popular Right Now
In this IT Trend Report, you will learn more about why chatbots are gaining traction within businesses, particularly while a pandemic is impacting the world.
Flash Poll