What do attorneys and compliance experts have to do between now – just weeks after the HHS Office for Civil Rights (OCR) released the new HIPAA enforcement rule – and the time enforcement actually occurs later this year? Read between the lines of the nearly 600-page document and imagine every single potential violation, that’s what.
Since the omnibus rule’s release about 10 days ago, we’ve see a spectrum of scenarios described in emails every day, some very reasonable and thought-provoking. Others – farfetched conspiracy theories that could only have been imagined by people we’d charitably describe as wing nuts – go directly to the spam folder.
One of the more fascinating – non-wing nut – issues to tackle is where a cloud document storage service provider’s role as “conduit” (OCR’s word) ends and business associate starts. Conduits just transport data, the electronic version of the United Parcel Service or FedEx as OCR puts it. They’re not business associates and therefore not subject to the same compliance liability as business associates.
Health IT attorney John Christiansen breaks down these legal definitions in a detailed blog post, determining that how long a company holds protected health information (PHI) and how much access it has to the PHI will figure in to whether OCR could deem it a HIPAA business associate or a mere conduit. He and HIPAA compliance expert Jim Sheldon-Dean, Lewis Creek Systems principal, figure that according to the letter of HIPAA law, public-cloud services such as Dropbox and Google (including Gmail, Google Docs/Drive, and other related services) could unwittingly be tagged business associates of a health care provider – and subject to HIPAA privacy and security rules – if an employee of that provider uses it for sending or storing PHI.
“Here’s a scenario,” writes Sheldon-Dean in his informative, occasional email newsletter: “You have an official e-mail system that your office uses for all professional communications and you have a policy that says staff should ONLY use that system. One staffer goes outside of the policy and uses Gmail to send someone in another office some PHI. Under the new rules? BAM! Google is a Business Associate because they have access to your firm’s PHI. Without any notice or intervention, and despite any terms of service they might wish to implement. With that one act, both you and Google are in violation of the HIPAA BA rules, without your or their knowledge.”
Now, the $64,000 (or much, much more, depending on whether HIPAA-defined willful neglect comes into play) question is this: Would OCR take on Google, Dropbox or another popular public-cloud service, just because the law technically might allow for such a maneuver if these expert legal interpretations hold water? Probably not.
But we won’t know until the compliance deadlines come and go, and OCR offers a pattern of enforcement that shows all of us health care observers the real-world scenarios in which HIPAA will apply. Until then, buckle up and enjoy watching experts debate what may or may not come to pass.