Contact Us
Subscribe to this blog via RSS
Join us on LinkedInCategories
- Medical Spas
- medical billing
- No Surprises Act
- Mandatory vaccination policies
- Workplace health
- Coronavirus Aid, Relief and Economic Security Act
- Code Enforcement
- Department of Labor ("DOL")
- Employment Law
- FFCRA
- CARES Act
- Nursing Home Reform Act
- COVID-19
- SB 150
- Acute Care Beds
- Clinical Support
- Coronavirus
- Emergency Medical Services
- Emergency Preparedness
- Families First Coronavirus Response Act
- Family and Medical Leave Act (“FMLA”)
- KBML
- medication assisted therapy
- Department of Health and Human Services
- Legislative Developments
- Corporate
- United States Department of Justice ("DOJ")
- Employee Contracts
- Non-Compete Agreement
- Opioid Epidemic
- Sexual Harassment
- Health Resource and Services Administration
- Litigation
- Medical Malpractice
- House Bill 333
- Senate Bill 79
- locum tenens
- Senate Bill 4
- Physician Prescribing Authority
- Chronic Pain Management
- HIPAA
- Prescription Drugs
- "Two Midnights Rule"
- 340B Program
- EHR Systems
- Hospice
- ICD-10
- Kentucky minimum wage
- Minimum wage
- Primary Care Physicians ("PCPs")
- Skilled Nursing Facilities (“SNFs”)
- Uncategorized
- Affordable Insurance Exchanges
- Drug Screening
- Electronic Health Records (“EHR")
- Fraud
- Health Care Fraud
- HIPAA Risk Assessment
- KASPER
- Mental Health Care
- Office for Civil Rights ("OCR")
- Stark Laws
- Urinalysis
- Accountable Care Organizations (“ACO”)
- Certificate of Need ("CON")
- Compliance
- Department of Health and Human Services (HHS)
- Federally Qualified Health Centers (“FQHCs”)
- Fee for Service
- HPSA
- Kentucky Board of Medical Licensure
- Kentucky’s Department for Medicaid Services
- Office of Inspector General of the United States Department of Health and Human Services (OIG)
- Part D
- Pharmacists
- Physician Assistants
- Qui Tam
- Rural Health Centers (“RHCs”)
- Telehealth
- Affordable Care Act
- Alternative Payment Models
- Anti-Kickback Statute
- Centers for Medicare & Medicaid Services (“CMS”)
- Charitable Hospitals
- Data Breach
- Electronic Protected Health Information (ePHI)
- False Claims Act
- Health Information Technology for Economic and Clinical Health Act (HITECH Act)
- Health Insurance Portability and Accountability Act of 1996 (HIPAA)
- Health Professional Shortage Area ("HPSA")
- Hospitals
- HRSA
- Limited Services Clinics
- Medicaid
- Medical Staff By-Laws
- Medically Underserved Area ("MUA")
- Medicare
- Mid-Level Practitioners
- Patient Protection and Affordable Care Act (“ACA”)
- Rural Health Clinic
- American Telemedicine Association (“ATA”)
- Criminal Division of the Department of Justice (“DOJ”)
- Health Care Fraud Prevention and Enforcement Action Team (“HEAT”)
- Hydrocodone
- Kentucky Board of Nursing
- Kentucky Pharmacists Association
- Qualified Health Care Centers (“FQHC”)
- Telemedicine
- APRNs
- United States ex. Rel. Kane v. Continuum Health Partners
- Webinar
- Agreed Order
- Chain and Organization System (“PECOS”)
- Chiropractic services
- Clinical Laboratory Improvement Amendments of 1988 (“CLIA”)
- Douglas v. Independent Living Center of Southern California
- Drug Enforcement Agency ("DEA")
- Emergency Rooms
- Enrollment
- Hinchy v. Walgreen Co.
- Jimmo v. Sebelius
- Kentucky Senate Bill 7
- Maintenance Standard
- Medicare Part D
- Minors
- Ophthalmological services
- Overpayments
- Physician Compare website
- Re-validation
- Texting
- Vitas Innovative Hospice Care
- 2014 Medicare Physician Fee Schedule (“PFS”)
- 501(c)(3)
- All-Payer Claims Database ("APCD")
- Appeal
- Chronic Care Management
- Compliance Officer
- Compounding
- CPR
- Dispenser
- Drug Quality and Security Act (“DQSA”)
- Essential Health Benefits
- HealthCare.gov
- House Bill 3204
- ICD-9
- Kindred v. Cherolis
- Long-term care communities
- National Drug Code ("NDC")
- New England Compounding Center ("NECC")
- Outsourcing facility
- Ping v. Beverly Enterprises
- Power of Attorney ("POA")
- Prescriber
- State Health Plan
- Sustainable Growth Rate (“SGR”)
- "Plan of Correction"
- Affinity Health Plan
- Arbitration
- Cadillac tax
- Centers for Disease Control and Prevention
- Community health needs assessment (“CHNA”)
- Condition of Participation ("CoP")
- Daycare centers
- Denied Claims
- Department of Medicaid Services’ (“DMS”)
- Division of Regulated Child Care
- Employer Mandate
- Fair Labor Standards Act (FLSA)
- Federation of State Medical Boards (“FSMB”)
- Food and Drug Administratio
- Form 4720
- Grace Period
- Health Professional Shortage Areas (“HPSA”)
- Home Health Prospective Payment System
- Home Medical Equipment Providers
- Hospitalists
- Individual mandate
- Inpatient Care
- Intermediate Sanctions Agreement
- Kentucky Health Benefit Exchange
- Kentucky Medical Practice Act
- Kynect
- Licensed practical nurses (LPN)
- Licensure Requirements
- LLC v. Sutter
- Long-Term Care Providers ("LTC")
- Low-utilization payment adjustment ("LUPA")
- Medicare Shared Saving Program (MSSP)
- Mobile medical applications ("apps")
- Model Policy for the Appropriate Use of Social Media and Social Networking in Medical Practice (“Model Policy”)
- National Institutes of Health
- Network provider agreement
- Nonprofit hospitals
- Nonroutine medical supplies conversion factor (“NRS”)
- Nurse practitioners (NP)
- Payors
- Personal Service Entities
- Physician Payments
- Physician Recruitment
- Physician shortages
- Qualified Health Plan ("QHP")
- Quality reporting
- Registered nurses (RN)
- Residency Programs
- Social Media
- Spousal coverage
- Statement of Deficiency ("SOD")
- Upcoding
- UPS
- “Superuser”
- Advanced Practice Registered Nurses
- Audit
- Autism/ASD
- Business Associate Agreements
- Business Associates
- Call Coverage
- Decertification
- Doe v. Guthrie Clinic
- EHR vendor
- Employer Group Health Plans
- ERISA
- False Billings
- Group Purchasing Organizations ("GPO")
- Health Reform
- House Bill 104
- Kentucky House Bill 159
- Kentucky House Bill 217
- List of Excluded Individuals and Entities
- Meaningful use incentives
- Medicare Administrative Coordinators
- Medicare Benefit Policy Manual
- Office of the National Coordinator for Health Information Technology (“ONC”)
- Part A
- Part B
- Patient Autonomy
- Patient Privacy
- Personal Health Information
- Provider Self Disclosure Protocol
- Self-Disclosure Protocol
- Senate Bill 39
- Senate Finance Committee Report
- State Medicaid Expansion
- Trade Association Group Coverage
- Center for Disease Control
- Compliance Programs
- Critical Access Hospitals (“CAHs”)
- Essential Health Benefits (“EHBs”)
- Genetic Information Nondiscrimination Act ("GINA")
- Healthcare Information and Management Systems Society (HIMSS)
- Kentucky Primary Care Centers (“PCCs”)
- Managed Care Organizations (“MCOs”)
- Medicare Audit Improvement Act of 2012
- Occupational Safety and Health Administration (“OSHA”)
- Recovery Audit Contractors (“RAC”)
- Small Business Health Options Program (“SHOP”)
- Sunshine Act
- Abuse and Waste
- Consumer Operated and Oriented Plan programs (“CO-OPS”)
- Free Conference Committee Report
- House Bill 1
- House Bill 4
- Kentucky Cabinet for Health and Family Services
- Kentucky Health Care Co-Op
- Kentucky Health Cooperative (“KYHC”)
- Kentucky “Pill Mill Bill”
- Pain Management Facilities
- Employee Agreement
- Health Care Fraud and Abuse Control Program
- Health Insurance
- Healthcare Regulation
- Health Care Law
McBrayer Blogs
IS HIPAA IN THE CLOUDS?
Virtual or “cloud” data storage is an increasingly popular method for storing data electronically in a safe and yet conveniently accessible manner that may also represent a cost savings over traditional onsite data storage options. Health care providers, including hospitals, pharmacies and physicians, have been slow to avail themselves of the benefits of “cloud computing” due in part to concerns about whether the cloud offers the rigorous privacy and security safeguards required for storing electronic protected health information (ePHI) under Federal and State privacy laws, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH Act) and implementing regulations.
Traditional Onsite Storage.
Health information privacy laws require covered health care providers and payors as “covered entities” to protect the confidentiality, integrity and availability of ePHI.[i] Traditionally, this has involved storing patient records and other PHI onsite, on systems controlled by the covered entity.
The benefit of onsite storage is that the covered entity can implement and enforce policies and procedures to control access and ensure confidentiality of the stored PHI, literally placing it under “lock and key.” The downside of onsite storage is that the PHI is housed in one location, vulnerable to power outages, fire, hurricanes and other natural disasters, and as the volume of PHI grows, maintaining enough onsite storage capacity may become costly. Additionally, such onsite storage may present significant obstacles for the covered entity when attempting to access PHI from other practice locations.
The Cloud Storage Cometh.
Cloud computing is similar in many ways to a data warehousing solution and generally means that data in the “cloud” is stored on a network of servers that provide storage capacity for a “virtual environment” managed by the cloud storage vendor. Data stored in the cloud is accessible anywhere there is an internet connection, and the cloud vendor typically maintains firewalls, backup and disaster recovery procedures, alternate power management and other mechanisms to significantly reduce any possibility of data loss. The cloud vendor also controls who has access to the data, where the data is physically located and how the data is segregated from other data on the shared server network.
The servers used for cloud storage may be distributed over a number of physical locations (including internationally) and the virtual environment is accessed, in a “public cloud”, by multiple clients of the cloud vendor that share space on the network of servers. The cloud vendor is responsible for ensuring careful segregation of each client’s data to prevent unauthorized access by one client to another client’s data, and for security purposes. The cloud storage model is more vulnerable to attacks than onsite storage as hackers may attempt to access the data from the internet and are incentivized to do so with a significant amount of data from multiple parties being stored on the shared server network. Along with firewalls, antivirus software and a number of other defensive tools available to cloud vendors, segregating client data reduces vulnerability to successful breach.
In this piece we focus on the “public” or “shared” cloud model, with multiple clients sharing space on the cloud server network. “Private” clouds are also available that offer dedicated cloud server space for a particular client.
Deciding to utilize a cloud storage option whether “public” or “private” to store ePHI is not the final step in the process. Selecting the right cloud vendor has its own set of considerations. Check back on Thursday, when we discuss Floating Forward with Cloud Computing.
Services may be performed by others.
This article does not constitute legal advice.
[i] 45 C.F.R. § 164.306(a).
