Posted by: Jenny Laurello
Business associates, covered entities, Data breach, data breach security, HIPAA
What exactly are we talking about when we talk about HIPAA at the edge of the enterprise?
The enterprise, its IT network, and its data center have long comprised a digital fortress — a bastion that’s both fully accessible to on-site personnel and semi-accessible to off-site personnel — and its edge has always been well defined.
But today, this edge is no longer well defined as CIOs look to reduce costs by turning to the cloud, satisfy employees who want to access the network with iPads, notebooks, and other mobile devices, and give patients access per meaningful use stage 2. It’s now a porous boundary, one through which users — some of whom may access the network only once, on any device, and from any location — can come and go as they please.
Add HIPAA to that equation, and without proper security, the potential for a data breach grows dramatically. To secure it, you must have a plan.
First, you must ensure users have a consistent set of application access roles, regardless of their location or device. You don’t want them juggling multiple identities and rights — that would be impossible for you to manage and frustrating for them to endure, no matter if they’re doctors, nurses, clinicians, patients, partners, or some other member of your community.
Next, you need to work with your legal department and chief medical officer to define policies per the HIPAA omnibus rule. Determine whether you need to:
- Develop a policy regarding employees who work remotely
- Add restrictions to that policy
- Have your users sign agreements acknowledging that policy
- Give partners (e.g., physicians, specialists, patients, clearinghouses for other organizations, etc.) the ability to access your system
- Update your HIPAA consent policies as required by meaningful use stage 2
- Obtain patient consent for electronic interactions with your organization
- Provide additional training
After that, you’ll need to determine where the health records you generate will be stored, and what work must be done in addition to those records. In other words, if your enterprise stores health records in the cloud and your cloud application provider offers value-added services (e.g., clinical or payment services) on top of the health records themselves, then that provider is a full-blown business associate and they are subject to all the requirements to protect health records that you, as a covered entity, are subject to. Your business agreement with them must be updated, if it exists.
If it doesn’t exist, you have until September to get it squared away. Look for another organization’s policy set (their handling control, auditability, and reportability of HIPAA records in motion and at rest) that mirrors your own, and consider emulating it.
At this point, you may be asking, “What if my cloud application provider uses a cloud storage provider behind the scenes? What if they’ve hired another organization to help them handle my health records? Am I responsible for them?”
No. Your cloud application provider must have a proper understanding and agreement, per the HIPAA omnibus rule, with their cloud storage provider. That’s their responsibility, not yours.
Finally, you should resolve to create an efficient IT infrastructure, something most enterprises forget to do. After all, you don’t want to build another application to manage applications; another identity management system to manage identities; and another network that you have to separate, manage, and control.
You want to collaborate. You want your users and providers to come together and work in a distributive manner with centralized policy, governance, and administrative functions.
This last item, while often neglected, is essential to achieving the proper perspective on how decentralized your application deployment — and how centralized your management of that deployment — is going to be.
Once you’ve got a plan, you can lay the four foundations for succeeding as an enterprise at the edge: governance, credentialing, data management, and interoperability. In our next post, we’ll explore these foundations; highlight the new, emergent terminology that comes with them; and discuss how these foundations contribute to the realization of HIPAA’s dream for the future.