Onus on vendors change cloud equation

The business associate agreements were not the easiest things to negotiate, but they did get done.'
By Mike Miliard
12:00 AM

One of the biggest roadblocks to wider adoption of cloud technology in healthcare is the fact that CIOs and chief privacy officers look askance at its security protections. They often just don't trust outsourced hosting to keep personal health information safe.
But with the HIPAA Omnibus Rule's new regulations with regard to the responsibilities of business associates such as cloud vendors - leaving them on the hook legally in the event of a data breach - it could be that providers may be more emboldened to embrace cloud hosting and enjoy the benefits it has to offer. could soon find more favor as new rules bring clarity and assign responsibility for privacy protections.
At least that's what one recent study conducted by Porter Research and sponsored by Covisint seems to suggest. "Healthcare Industry Reaches Tipping Point: CIOs Now Demand the Cloud for Shared Savings and Interoperability," finds increasing confidence in the cloud among healthcare decision-makers, due in large part to the new specifications laid out by the Omnibus rule.
"For a long time, the cloud was untrusted on multiple levels -- people weren't familiar with it, they were afraid of the security aspect and, simply stated, it just wasn't the safe career choice -- in other words, nobody got fired for not choosing the cloud in the past," says Covisint's Chief Medical Information Officer John Haughton, MD.
"That's all changing dramatically," he says.
From a strategic point of view this shift in attitudes is being driven by the Affordable Care Act, says Haughton. "With the advent of accountable care initiatives, providers and payers need a way to share clean, secure private health information throughout the community of care."
But another big factor has been the protections for providers brought about by the new HIPAA revisions, shifting burdens for liability to healthcare business associates, leaving cloud companies on the hook for keeping patient data secure.
"The HIPAA Omnibus Rule dramatically increased the scope of HIPAA Privacy and Security policy and the enforcement activities supported," says Haughton. "We see this as a positive development as it helps improve stakeholder trust in the cloud as a mechanism for clean, portable data."
As of this month, "Business associates, like Covisint, are held to a higher standard, and their liability under the rule is now more similar to the physician's," he says.
Among the new changes, business associates are now responsible for their subcontractors; business associates must comply with security and breach notification rules; physicians are liable for the actions of their BAs who are agents, but not for the actions of those BAs that are independent contractors.
Also, says Haughton, "physicians are no longer to report failures of their BAs to the government when termination of the agreement is not feasible, as HHS has concluded that the BA's direct liability for these violations is sufficient."
That's all good news, he says.
"In order for the cloud to gain the trust of providers and payers, cloud vendors needed to take on greater responsibility to protect patient privacy. As a result of this change, vendors like Covisint that share healthcare data in hybrid cloud environments need to completely re-assess their HIPAA policies and procedures to ensure they meet the new, more stringent requirements."
At recent Healthcare IT News/HIMSS Media Events in New York and Boston, privacy officers and CIOs suggest that the new shift of responsibilities on business associates could be a game changer - although they cautioned that negotiating business associate agreements could get contentious in light of the new HIPAA rules.
In New York, Torie Jones, chief privacy officer for University of Pennsylvania Health System (her coworkers call her "The HIPAA Lady") said that "the cloud is not going away; I think it's very appealing to healthcare organizations."
Clearly, this is a "new reality," she said, and "we need to figure out the best way to do it within the confines we've been given from a regulatory standpoint."
When the new HIPAA rule first came down the pike, Jones issued a "prediction" that "business associate negotiations with cloud providers would get very tense ... vendors would try to contractually disavow as much as they can."
So far, "in my experience, that has proven correct," she said.
When negotiating BAAs, said Jones, "be prepared for the back-and-forth. And be prepared to see language that is completely unfamiliar to you if you've negotiated BAAs before," as vendors attempt to shield themselves from risk.
It may take "several, several rounds to get to a place where the provider and the business associate are both comfortable with the language," she said. "But go into it with the mindset that it's going to land eventually. You might circle the airport a few times, but you'll get there."
Stephanie Musso, RN, privacy officer at Stony Brook University Hospital on Long Island, agrees. "It's going to be challenging at times," she said.
At Stony Brook, "It was not easy to negotiate the business associate agreement. We had to relook at the vendor's storage security. They were, needless to say, a bit put off that we were asking them all these questions about the security of their cloud: 'Don't you trust us? We've been working with you for 12 years!' This is is beyond trust. We have to dot the i's and cross the t's."
"The business associate agreements were not the easiest things to negotiate, but they did get done," she said.
But going forward, she wonders how many companies will have the inclination to go through those negotiations - and take on added liability.
"It's going to be a very interesting climate, identifying those vendors willing to jump into or stay in the healthcare realm with their cloud storage, and those who are not willing to because they don't want to jump through hoops," said Musso.
Speaking at the Healthcare IT News Health Privacy Forum in Boston on Sept. 23, Phil Curran, chief information security officer at Cooper Health System in Camden, N.J. outlined the rigorous steps his hospital took to vet its cloud providers.
"The technical evaluation is an ongoing process," he said. "And once we're done with the tech evaluation, we'll send a team out to do a physical visit to the operations center of the vendor that we're looking at."
He added, "Many vendors don't like us, that we do this. but my opinion is that we're protecting the privacy of our patients. I really don't care about vendors' feelings."
Like Musso, Curran suggested that larger vendors might be better prepared for this brave new post-Omnibus world than the smaller companies who may balk at the new requirements - if they're aware of them at all.
Speaking of non-cloud business associates, he said, his "experience with vendors varies depending on the size. Some of the GE-and Epic- and McKesson-type vendors understand what their requirements are. But we have some companies that do transcription for our ambulatory offices. They have no clue as to what their roles and responsibilities are. You need to educate them."
After all, said Musso: "It's still your PHI. If it's the vendor you chose, and they fall short of complying with the language they agreed to in the BAA, even if they're the one doing the breach notification, it's your PHI, and it's your reputation."