OCR Offers Guidance on HIPAA and Cloud Computing | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

OCR Offers Guidance on HIPAA and Cloud Computing

October 7, 2016
by David Raths
| Reprints
Cloud service provider that stores only encrypted data is still a business associate

The Health & Human Services Office of Civil Rights (OCR) has provided guidance around several questions regarding cloud service providers and HIPAA. For instance, if a cloud provider stores only encrypted protected health information and does not have a decryption key, OCR said it is still considered a HIPAA business associate.

OCR refers to cloud service providers (CSPs) storing encrypted PHI as “no-view” services. “As a business associate, a cloud service provider providing no-view services is not exempt from any otherwise applicable requirements of the HIPAA Rules,” OCR said.  “However, the requirements of the Rules are flexible and scalable to take into account the no-view nature of the services provided by the CSP.”

Regarding the HIPAA Security Rule, even when the parties have agreed that the customer is responsible for authenticating access to ePHI, the CSP may still be required to implement appropriate internal controls to assure only authorized access to the administrative tools that manage the resources (e.g., storage, memory, network interfaces, CPUs) critical to the operation of its information systems.  For example, a CSP that is a business associate needs to consider and address, as part of its risk analysis and risk management process, the risks of a malicious actor having unauthorized access to its system’s administrative tools, which could impact system operations and impact the confidentiality, integrity and availability of the customer’s ePHI. 

An exception that would see a provider as only a “conduit” of information is limited to transmission-only services for PHI (whether in electronic or paper form), including any temporary storage of PHI incident to such transmission.  Any access to PHI by a conduit is only transient in nature.  In contrast, a CSP that maintains ePHI for the purpose of storing it will qualify as a business associate, and not a conduit, even if the CSP does not actually view the information, because the entity has more persistent access to the ePHI.

OCR clarified that a CSP is not a business associate if it receives and maintains only information that has been de-identified following the processes required by the Privacy Rule. OCR also noted that if a covered entity (or business associate) uses a CSP to maintain electronic PHI without entering into a business associate agreement, the covered entity (or business associate) is in violation of the HIPAA rules. 

In a statement released by ACT, the App Association, its executive director, Morgan Reed, said that companies that fall under the newly created term, “no-view service provider” will face compliance questions around access which must be resolved. “Of course, further outstanding HIPAA questions remain as well. For example, there is still a lack of clarity around texting and messaging, which are central to patients’ and physicians’ lives. We look forward to working with OCR on these important issues.”

 

 

The Health IT Summits gather 250+ healthcare leaders in cities across the U.S. to present important new insights, collaborate on ideas, and to have a little fun - Find a Summit Near You!


/news-item/cloud/ocr-offers-guidance-hipaa-and-cloud-computing
/whitepaper/challenges-and-opportunities-genomic-data-patient-care-and-cloud

Challenges and Opportunities: Genomic Data, Patient Care, and the Cloud

Please register to download


Patient care organizations are moving forward to connect the academic research arms of their universities to the patient care delivery operations in their clinical organizations. And that is leading both to opportunities and challenges.

On the opportunity side, genomic data is now actively being used for rare disease diagnosis; for cancer detection; for the tracking of mutations; and for medication selection for patients.

But the data challenges involved in working with genomic data, particularly in participating in any activities connecting genomics to patient care, are many, and complex.

More From Healthcare Informatics

/webinar/augmented-intelligence-digital-key-healthcare-s-digital-future

Augmented Intelligence: The Digital Key to Healthcare’s Digital Future

Thursday, December 6, 2018 | 1:00 p.m. ET, 12:00 p.m. CT

The value of artificial intelligence and IoT has been difficult to prove for many health systems - yet these advances in technology are heralded as the ultimate solution to all healthcare problems. Many of these AI and IoT initiatives fail to deliver on outcomes because they focus on the challenges of bringing together data and miss the opportunity to operationalize information.

In this webinar we’ll discuss what it means to Augment Intelligence in your smart hospital operations. You want to “augment” the intelligence of your workforce by giving them contextual information to either support decision making or automate processes - AI and analytics alone is not enough you need context.

Related Insights For: Cloud

/news-item/cloud/microsoft-healthcare-rolls-out-fhir-server-azure

Microsoft Healthcare Rolls Out FHIR Server for Azure

November 13, 2018
by David Raths, Contributing Editor
| Reprints
Developers could use the server to quickly ingest and manage FHIR datasets in the cloud

Microsoft Healthcare has announced the release of an open source project, FHIR Server for Azure, to offer developers access to software that supports the exchange and management of data in the cloud via the FHIR specification.

FHIR Server for Azure on GitHub provides support infrastructure for immediate provisioning in the cloud, including mapping to Azure Active Directory (Azure AD), and the ability to enable role-based access controls (RBAC), the company said. Developers can save time when they need to integrate a FHIR server into an application or use it as a foundation to customize a unique FHIR service.

In a blog post, Heather Jordan Cartwright, general manager of Microsoft Healthcare, said the company “is contributing this open source project to make it easier for all organizations working with healthcare data to leverage the power of the cloud for clinical data processing and machine learning workloads.”

In August 2018, Microsoft joined with Amazon, Google, IBM and other companies in a commitment to remove barriers for the adoption of technologies that support healthcare interoperability, particularly those that are enabled through the cloud and AI and especially FHIR.

Among the points the companies agreed to was: “We understand that achieving frictionless health data exchange is an ongoing process, and we commit to actively engaging among open source and open standards communities for the development of healthcare standards, and conformity assessment to foster agility to account for the accelerated pace of innovation.” 

As an example of how FHIR Server for Azure will work, Microsoft said developers can use the server to quickly ingest and manage FHIR datasets in a cloud environment, track and manage data access, and begin to normalize data for machine-learning workloads.

In August, Josh Mandel, chief architect of Microsoft Healthcare, noted that the company had added support for FHIR to the Dynamics Business Application Platform through the Dynamics 365 Healthcare Accelerator, and developed an open source Azure Security and Compliance Blueprint for Health Data and AI for deploying a FHIR-enabled, HIPAA/HITRUST environment in Azure.

 

See more on Cloud

betebet sohbet hattı betebet bahis siteleringsbahis