This week, the Office for Civil Rights (OCR) of the U.S.
Department of Health and Human Services announced a settlement of alleged HIPAA violations that may
have signaled the start of OCR's next wave of enforcement
actions.
Reporter James Swann's July 19 post on Bloomberg
BNA's Health Care Blog, "Government Enforcement
Hits the Cloud," about the OCR's $2.7 million
settlement with Oregon Health & Science University points out
the possible significance of the action. The blog post quotes
Day Pitney healthcare lawyer Eric Fader, whose views on the matter
were set forth in more detail
here.
Although this latest settlement also involved the theft of a laptop
that contained unencrypted patient records, its primary importance
should be as a wakeup call to healthcare providers who use
cloud-based services to store patient records, send emails
containing protected health information, or even maintain surgical
calendars. Under the 2013 HIPAA Omnibus Final Rule, data storage
companies that store protected health information (PHI), in the
cloud or elsewhere, are considered business associates even if they
never actually access the PHI. Therefore, business associate
agreements between the healthcare providers and these vendors will
be necessary.
Click here for more Healthcare Blogs from Day Pitney
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
