retrieved April 27, 2015 from GovHealthIT.com
It’s become all too common to read about theft or mishandling of private health data. Whether due to a targeted attack or unintentional breach, entities and individuals within the healthcare system need greater peace of mind that sensitive data is safe and secure. A new international privacy standard for cloud providers — ISO 27018 — brings an effective means to better protect health data. The privacy standard mirrors some of HIPAA’s tenets while providing an all-important third-party audit mechanism.
While enacted almost 20 years ago and updated recently in 2013, HIPAA still falls short of truly protecting personal data in today’s data-rich healthcare system. The two main provisions of the law change were meant to protect health insurance coverage for an employee following job loss and set standards for electronic transactions involving healthcare data. The latter provision, put into place in 2003, contains the Privacy Rule that governs the use and disclosure of Personal Health Information (PHI).
The matter of business associates
As originally written, the HIPAA Privacy Rule applied to covered entities or, generally speaking, health insurance companies, employer provided health plans, and some healthcare providers. The rule forbids any covered entity from using PHI for marketing purposes without patient authorization.
Some aspects of the original Privacy Rule also applied to business associates or the third-party organizations that covered entities’ use when performing their healthcare activities. As the Department of Health and Human Services states, examples of business associates include a consultant who produces utilization reports for a hospital and a healthcare clearinghouse that translates claim data from one format to another.
In 2013, the law was updated to ensure all aspects of the Privacy Rule now apply to business associates and covered entities. But this expansion is not enough to adequately protect personal healthcare data. The rub lies in who qualifies as a business associate, which may not include all of the technology service providers that manage data behind the scenes. A business associate is required to enter into to a Business Associate Agreement (BAA).
A BAA creates the legal relationship between the covered entity and business associate. It governs the permitted use of PHI and requires business associates to put into place safeguards to “prevent unauthorized use or disclosure of the information.” The business associate is prohibited from using or disclosing healthcare data in any way that violates HIPAA.
In the decade between the issuance of the original and updated HIPAA regulations, the number and types of business associates exploded. In addition, electronic healthcare transactions have increased exponentially. In 2015, the U.S. market for electronic records alone is expected to reach $9 billion. Companies that provide the underlying infrastructure for healthcare data transactions including cloud providers, email systems, and intranet services are also part of the landscape that should protect PHI.
While the new HIPAA privacy rule includes language to bring an increasing number of technology service providers under the business associate umbrella, it is not clear whether industry practice has kept pace with the new rule.
Call to action: Embrace ISO 27018
To address this gap and better protect the privacy of PHI, the government must adopt the tenets of ISO 27018.
Although the standard, as currently written, focuses on Personally Identifiable Information (PII), it can apply a rough benchmark as to how a technology service provider will handle PHI as well. And while the substantive requirements of ISO 27018 may not match the requirements of HIPAA exactly, they overlap significantly. This overlap is valuable, as it can offer third-party validation of these requirements through an audit process.
ISO 27018 provides a strong litmus test for entities that handle sensitive information such as PHI — and will help entities pick and choose among technology service providers.
Technology service providers that have undergone a successful audit for the controls under ISO 27018 can demonstrate a commitment to using the types of security and privacy controls required for handling such sensitive information.
Complying with ISO 27018 means public and private sector entities, as well as the individuals who entrust them with their data, can rest easier knowing that their data will not be reused by technology companies without their consent.