Overview of HIPAA and HITECH Act
New technologies, from electronic medical records and medical devices to mobile and Web applications, allow doctors to improve the health status of patients and save lives. These technologies allow doctors to collect more information to study patient histories. These technologies and related data are constantly interacting, exchanging health information through increasingly complex systems, which increases risks and vulnerabilities. Doctors are no longer the only custodians of sensitive health information. Today, for example, persons who manage the storage of data also have access to this information and, thus, are responsible for its safety.
​
Recognizing the vulnerability of health information, the U.S. government passed the Health Information Portability and Accountability Act (HIPAA) in 1996 and the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2003. These laws require organizations dealing with health information to take certain measures to ensure confidentiality and security, as well as inform patients in cases where the confidentiality and security of their personal data is at risk.
In conditions when consumers are switching to cloud services, understanding these standards and the requirement of strict adherence to them becomes the basis of the organization’s responsible behavior and the trust of patients who communicate confidential details about their health.
HIPAA and HITECH Act
The nuances of these complex set of laws, rules and regulations are often overlooked. Often, confidentiality and security are used simply as fashionable terms without taking into account the nuances of HIPAA and HITECH, which can distort the meaning of the requirements of these laws.
Protected Health Information
According to HIPAA, certain information is considered protected health information (protected health information - PHI). PHI is data on the patient's physical and mental health in the past, present and future, on the provision of medical care to the patient, on the patient's payments for medical services in the past, present and future, as well as data (identifiers) identifying the person. PHI includes personal identification information (PII), such as names, addresses, patient-related dates (date of birth or date of service), phone numbers, fax numbers, email addresses, URLs, IP addresses, social security numbers , account numbers, license numbers, medical card numbers, beneficiary numbers of health insurance plans, device identifiers and their serial numbers, vehicle identifiers and serial numbers, biometric identifiers and photographs. In other words, PHI refers to any unique identification numbers, codes or characteristics that can be used to track a patient.
Electronic Protected Health Information (EPHI) is essentially the same PHI or personally identifiable health information created, received, maintained and transmitted electronically. If the confidentiality standard applies to any type of PHI (written, printed, electronic and oral), then the security standard applies only to EPHI.
HIPAA is a set of special privacy and security standards for certain health information, which are known as HIPAA Privacy Rule (privacy standard) and HIPAA Security Rule (security standard) respectively. HIPAA standards apply to healthcare providers , such as healthcare facilities, insurance companies, and medical billing centers.
The U.S. Department of Health and Human Services (HHS) website says that:
​
The HIPAA Privacy Rule provides federal protection for personal health information used by healthcare providers and provides patients with a set of rights to this information. At the same time, Privacy Rule allows you to disclose personal health information needed to treat patients and use for other important purposes.
​
In turn, the HIPAA Security Rule "defines a set of administrative, physical and technical measures that medical organizations must carry out to ensure the confidentiality, integrity and accessibility of electronic protected health information."
HITECH Act
The HITECH Act required the U.S. Secretary of Health to expand the scope of the HIPAA Security Rule and Privacy Rule standards and increase fines for HIPAA violations. Previously, the HHS Civil Rights Office (OCR) jurisdiction over private information leaks only extended to medical organizations. HITECH Act extends HIPAA Privacy Rule and Security Rule standards to business partners(BA) - individuals and legal entities that perform certain functions or actions that are associated with the use or disclosure of PHI on behalf (or when providing services) of a medical organization. Business partners often provide services such as claim processing and administration, data analysis, usage assessment and management. The cloud provider, in which the PHI is stored directly on behalf of a medical organization or indirectly through its business partner, is now also considered a business partner.
Omnibus Rules
In January 2013, OCR published the final version of the Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act. , safety, compliance, and leak notification adopted under the Law on the Use of Medical Information Technologies in Clinical and Economic Activities and the Law on the Prohibition of Genetic Discrimination "), as well as Other Modifications to the HI PAA Rules ("Other Changes to HIPAA Rules") - the so-called Omnibus Rules. These rules amend the definition of a business partner, increase the security and confidentiality of PHI, place direct responsibility on business partners, change the threshold for damage in the Breach Notification Rule, and clarify the content of an agreement with business partners. In the promulgated final rules, the most important point for suppliers and consumers of cloud services is that, to ensure compliance with the law, OCR's jurisdiction extends to business partners and their subcontractors.
​
The Omnibus Rules has significantly changed the definition of a business partner. Now they indicate that subcontractors of business partners are considered persons acting on their behalf. Subcontractors are individuals to whom a business partner delegates a function, work or service to an organization covered by HIPAA or another business partner. In essence, subcontractors are business partners of business partners and continue down the chain to organizations dealing with PHI information.
​
If in the process of business relations with a medical organization or its business partner, the organization creates, receives, maintains or transfers PHI, then it is a business partner. The word “supports” is of primary importance in the new rule, especially for cloud service providers.
Cloud Service Providers as Business Partners
Cloud service providers are unique among business partners trusted by EPHI. When HIPAA was adopted, the concept of “cloud” did not exist, and probably could not be predicted. Medical organizations and other business partners are increasingly choosing the cloud to store health information. The most common reasons for this are cost savings, storage resource management, platform stability, resource availability, backup and recovery, and a decrease in the amount of IT maintenance work. However, when the EPHI is stored (or maintained) in the cloud, consumers disclose it to the cloud provider, which thus becomes a business partner. Therefore, cloud service providers must comply with HIPAA and HITECH.
​
Although OCR does not use the term “ cloud service providers, ” the rule commentary uses the phrase “storage company” to identify business partners and subcontractors and clarify the meaning of the term “service”. The comments indicate that even if the business partner does not see the PHI or sees this information accidentally or occasionally, this does not exempt him from having to follow the rules.
​
The change in the definition of the business partner and the comments provided leave no doubt that the cloud service providers and other organizations entrusted with PHI (media organizations) are business partners. Thus, as business partners, cloud service providers have unconditional obligations and increased responsibility for PHI.