Q&A: Predicting a HIPAA cloud, BAA 'tipping point' come HIMSS13

By Tom Sullivan
10:10 AM
Share
a:2:{s:5:"title";s:60:"Scott Lundstrom, group vice president of IDC Health Insights";s:3:"alt";s:0:"";}

Despite its oft-touted advantages, the cloud computing model poses entirely new privacy and security challenges to an industry already behind many others in that regard – and HIPAA regulations play the starring role among those concerns.

Government Health IT Editor Tom Sullivan spoke with IDC Health Insights group vice president Scott Lundstrom about how the cloud addresses healthcare’s particular sophistication challenges, why he believes the industry is nearing a tipping point that will see an influx of HIPAA Business Associate Agreements by early March, and how the cloud changes more than healthcare organizations' IT culture.

Q: Which aspects of the cloud model are uniquely applicable to healthcare?
A:
The sophistication challenges, the technology and the cost hurdles can be mitigated by service providers helping organizations move from a CapEx to an OpEx model. So I don’t have to buy and implement an EHR, I can subscribe to EHR as a service in the cloud, I don’t have to implement Big Data, I can buy Big Data as a service in the cloud. From a sophistication and economic risk, that’s quite desirable.

Q: Among the chief concerns of many healthcare entities is being able to ensure data security in the cloud, when someone else actually has the information…
A:
There’s certainly risk there, and the way that risk becomes codified is in the HIPAA BAA [Business Associate Agreement]. Well, suppliers have understood the risk here, and they’ve been very hesitant to sign BAA’s. But we’ve seen folks like Verizon come out with their HIPAA cloud; Layered Tech has a HIPAA cloud; and Dell is making some movements there.

My expectation is that in March at HIMSS the willingness to sign a HIPAA BAA is going to hit the tipping point and we’ll see a fair number of large providers expressing a willingness to do that. But it’s not easy or inexpensive.

[In part 1 of the Government Health IT interview with IDC’s Scott Lundstrom, the IT analyst predicts an HIX delay.] 

The early participants in this market are the folks running the cloud for the federal government, and they’re very security-conscious. But that doesn’t mean there aren’t risks. Now the risk moves from doing it yourself to picking the right partner and crafting the governance and legal language to protect yourself. It’s not so much removing the complexity but shifting it to the procurement and contracting parts of the organization.  

Q: How does moving what has traditionally been handled by IT into those parts of the organization change things?
A:
We actually see folks staffing differently. We’re starting to see healthcare professionals with JDs, IT people with JDs, very much in demand now because we’ve gone from building and implementing to buying and sourcing, but we have the same level of business concerns. So the organizational change management around how we source and acquire the technology is kind of a really interesting sidebar as we watch this.

The cloud really does change the way organizations own and operate IT and I think this is one of those big wave, kind of 15- or 20-year changes that really does redefine the marketplace.

Related cloud coverage:

Pharma not so big on cloud for clinical trials

David Linthicum's 3 steps to HIPAA security in the cloud

Download the eBook 'Navigating the Cloud' from Government Health IT and Healthcare IT News

CDC girding to open its cloud to public health departments

How HHS is already a federal cloud leader