As more data moves into the cloud in 2013, and ensuring the security of that data takes on greater significance, health care organizations will pay much closer attention to the mandates of the Health Information Portability and Accountability Act, and will boost policies and procedures that secure the flow of patient health information.
More analysis of HIPAA policies
Expert webcast: Carlos Leyva explains
Achieving a HIPAA-compliant virtualized environment
AHIMA 2012: Focus on
HIPAA for mobile device security
Encryption technology, data breach audits and business associate contracts will play key roles next year as the result of greater federal scrutiny under HIPAA laws, according to Carlos Leyva, attorney and managing partner at the Digital Business Law Group of Pennsylvania, and CEO at 3Lions Publishing Inc., publisher of the HIPAA Survival Guide. "The use of encryption will continue to increase dramatically as it becomes a de facto best practice, despite the fact that the security rule does not mandate it," Leyva said, "because covered entities and business associates want to take advantage of the encryption 'safe harbor' provided by the HITECH Act."
The use of encryption will continue to increase dramatically as it becomes a de facto best practice.
managing partner, Digital Business Law Group of Pennsylvania
Most of the increased focus on HIPAA policies next year will come from the HIPAA omnibus rule, which outlines data breach audit protocols. A final rule was expected this year, but Leyva said to look for it in early 2013 instead. And though that rule will govern how to plan for more data breach audits next year, health care organizations should also look to it for greater awareness of how their relationships with covered entities and business associates will change. "The relationship with business associates has to be re-engineered in light of HITECH," Leyva said. "HITECH is 'transformative' in many ways, but especially regarding the relationship between covered entities and business associates."
This transformative nature will be true particularly where new technologies cross with new policies and procedures. Hybrid clouds hosting distributed data centers and mobile networks will replace the current use of virtual private networks, or VPNs, among organizations seeking to reengineer their networks for more flexibility and adaptability of workloads. "In 2013, if you can't switch workloads between public and private clouds, you won't be competitive," said David Small, senior vice president and chief platform officer at Verizon Enterprise Solutions, in a news release.
Using private clouds in health care helps information flow, but there are still privacy and security challenges, Leyva said. "The cloud is a business associate relationship on steroids," he said. "On the one hand, the cloud economics are so compelling that the health care industry will continue to migrate to the cloud en masse. On the other hand, many covered entities will move to the cloud and find that it sometimes rains in the cloud, especially if key terms and conditions have been ignored in the business associate contract."