I encourage you to read the article again or for the first time as I added additional information on:
- The Omnibus Rule itself;
- Cloud providers as Business Associates;
- Business Associate Agreements;
- Direct liability and civil monetary penalties for non-compliance; and
- Breach notification rules.
I provide directions forward ending with:
The Omnibus Rules are an extension of the concepts first embodied in HIPAA to protect sensitive information about patients’ health and to ensure that this data is available and correct when needed for treatment. In undertaking responsibility of PHI as BAs or subcontractors, cloud service providers are now held to the same standards as covered entities — particularly the providers in whom the patients place their trust. Through understanding and clearly defining its role as a BA or subcontractor, a cloud service provider can not only avoid harsh penalties, but also preserve its reputation as a reliable partner in healthcare.
Ultimately, responsibility is important not only for HIPAA and HITECH compliance but also for ensuring trust. A doctor entrusts a BA with critical information shared by patients who have divulged their most intimate details and whose EPHI might be stored in the cloud. If their EPHI is compromised, patients might lose trust in their doctors and consequently their care might be put at risk. Thus, the significance of HIPAA and HITECH goes beyond law. EPHI is not merely data; it represents individuals, their health, and their lives.