I had the pleasure of attending the iHT2 conference in Atlanta for the second year in a row and was once again pleased with the opportunity to interact with providers in such an intimate setting. A far cry from the chaos and showmanship of HIMSS, to be sure. No matter what session I attended throughout the two-day event, I heard consistent mumblings of discontent around HIPAA, especially in the context of being a barrier to innovation in the mobile health space.
My Twitter friends have a habit of putting things into perspective for me, and Susana Vallelonga, aka @sgcalderoni, didn’t disappoint:
She makes a good point – one that ties into a recent discussion I had with Frankie Rios, the new Vice President of Information Security at GNAX Health. He is facing a similar challenge when it comes to convincing providers of the benefits of the cloud in the face of new HIPAA rules. He is no stranger to challenges, though, having spent 16 years in the US Marine Corps as a Senior Network Engineer, Trainer and Supervisor. I had the chance to chat with him recently about the state of cloud computing in the wake of the recently enacted Omnibus Rule.
Do you think the newly enacted HIPAA rules will scare providers away from migrating to the cloud?
Actually, the new HIPAA rules protect providers as they migrate data and applications to the cloud. Whether it is cloud computing or cloud storage, the new rules provide a stronger framework. The technology continues to mature and as it does so, I believe we will continue to see a growing acceptance of cloud services from providers.
How are you working to combat these fears?
We are educating providers from both a technology and policy perspective. Technologically speaking, there is no reason why the cloud cannot be as (or more) secure than an on-premise solution. We are also providing information on implemented controls to secure patient data within the cloud.
You recently created a set of criteria to help providers evaluate potential cloud providers and their compliance with HIPAA requirements. How would you say this list has changed in the last five years? What should providers be aware of now that they may not have even considered a few years ago?
The list has really not changed much in the last five years. All of the controls are based on information management security best practices that have been around much longer. What has changed are the security technologies and cost of implementing the controls. For some, the costs have gone down and for some the costs have increased.
A few years ago it was difficult to ensure that vendors had the proper controls in place. There were no instruments to hold vendors accountable other than extra contract language or business associate agreements. The responsibility was on the provider to implement security controls and ensure HIPAA compliance. In the case of a breach, the provider (not the vendor) was liable.
With the new rule, business associates are also liable in the event of a breach, and must ensure that the same security controls are in place.
Along those same lines, how do maturing EMR technologies play into a provider’s decision to move to the cloud?
Most EMRs already have the ability to deliver their application in a cloud-based environment, or their solution is offered as an ASP model. This makes it very easy for providers to migrate their EMR technologies to the cloud.
The cloud is really just the “next step” from virtualization of current assets. It is not maturity of the EMR itself, but simply an enhanced infrastructure and platform functionality.
However, providers should ask how cloud options for their EMR impact clinician workflow. Changes should be clinician-centric; not technology-centric. All the technology in the world is meaningless if it doesn’t improve the workflow or functionality of the clinician.
It seems you are well versed in risk analysis, coming from a military background and then moving into healthcare IT. How has that first career prepared for you this new age of digital breaches in healthcare environments?
My first career in the military greatly improved my ability to act quickly on new situations or regulations. In addition, the emphasis on planning is an important part of the process along with communication.
Risk analysis is an ongoing process. Most implementation mistakes are around performing risk analysis and then doing nothing for the rest of the year. Risk analysis must be part of all aspects of information management in healthcare: especially, strategic and budget planning.
Simply checking the box off that the risk analysis is complete is wrong! As business processes and technology changes, so will the risks that have been introduced. Risk analysis is an ongoing process – not a once and done.
The article is still not clear about how more stringent HIPAA protect the providers.