Rules & Regulations – Outsourcing HIPAA compliance among health care organizations

February 11, 2017
Dave McCrystal
From the January 2017 issue of HealthCare Business News magazine

By Dave McCrystal

Security and flexibility within compliance in the health care field are important considerations for industry leaders. Health care providers, while focusing on providing the best patient care must simultaneously ensure compliance with the Health Insurance Portability and Accountability Act (HIPAA), which translates to compliance with specific security, privacy and breach notification rules for the storage of protected health information (PHI). By choosing to outsource HIPAA cloud compliance, customers and providers are able to share a commitment to hosting an application that complies with HIPAA and HITECH rules, easing the burden in the process.

The outsourcing approach also allows health care organizations to reduce costs and increase productivity by enabling unified communications and disaster recovery tactics. With these measures in place, health care providers can focus more of their attention on patient care rather than compliance. HIPAA, established in 1996, is designed to promote the confidentiality and portability of patient records, as well as consistent security in the health care industry. The main HIPAA considerations are privacy and security. The security rule contains the administrative, physical and technical safeguards that must be put in place to protect the confidentiality of electronic PHI. Alternatively, the privacy rule allows covered providers and health plans to disclose protected health information to business associates (BAs) or entities that create, receive, maintain or transmit ePHI on behalf of another business associate. Disclosure is only allowed if there is a guarantee that PHI will be safeguarded from misuse.



The Health Information Technology for Economic and Clinical Health (HITECH) Act, established in 2003, expanded many of the requirements contained in HIPAA. The most notable provisions of this act were centered on notification requirements for ePHI breaches and penalties for non-reporting. In 2013, the Omnibus Rule made significant changes to the HIPAA privacy, security, breach notification and enforcement rules. The Omnibus Rule also expanded the definition of a BA to include entities that create, receive, maintain or transmit PHI on behalf of another entity. Following this new ruling, once electronic data is received by a covered entity, it becomes protected by HIPAA.

Health care organizations, the covered entities, are ultimately responsible for the security of their ePHI data. However, cloud providers can help to streamline this process by helping to move all communications and computing systems to the cloud. This partnership allows health care entities to focus on their primary responsibility: providing the highest standards of patient care. In order for cloud providers to maintain HIPAA compliance, it is necessary for them to deliver solutions that evolve and support the ever-changing regulatory requirements.

You Must Be Logged In To Post A Comment