Many in healthcare blame difficulties over creating new solutions or trying to ease workflow burdens on HIPAA. The litany of issues that HIPAA is blamed for include contentions that it prevents the ability to share information with patients or even other providers; it overly restricts how information can be stored or transmitted; and it does not allow any information about an individual to be disclosed under any circumstances without the impacted individual’s consent.

It is unclear whether such excuses are used because of an honest misinterpretation of HIPAA, laziness or some other reason. Regardless of the cause, HIPAA is the easy out utilized because it remains misunderstood.

Despite HIPAA being enacted in 1996 and the primary components of both the privacy and security rules being in place since the early 2000s, a pervasive belief remains that HIPAA does not address and apply to modern technology. An oft-repeated argument is that the law and regulations pre-date modern solutions, such as cloud storage and social media, which prevents innovation in these areas.

The assertion is that HIPAA blocks these forms of technology because it imposes “antiquated” notions of privacy and security against the technologies. Such assertions largely arise from an underappreciation just how HIAA operates. The viewpoint that HIPAA can, and does, apply in a fair and reasonable manner to current and developing technology is supported by the spate of guidance posted by the Office for Civil Rights (OCR).

The most recent guidance from OCR focuses on cloud computing. Like other recent guidance issued by OCR, the new cloud computing guidance does not break new ground. At least, the guidance does not break new ground for those who understand HIPAA and the way it is meant to apply, if done appropriately.

The guidance recognizes, quite correctly, that cloud computing comes in many different forms. Cloud computing can include data hosting/storage, hosted software and system infrastructure, among other options. Depending on the nature of the use, HIPAA may or may not apply. The “it depends” result is the same level of responsibility for vendors in almost any other capacity that could assist a HIPAA-covered entity (for example, a healthcare provider, a health plan or a healthcare clearinghouse).

Determining whether any vendor is a business associate depends upon the nature of the service being provided and whether protected health information will be handled, stored, accessed or otherwise utilized for or on behalf of the covered entity (namely, the definition of a business associate). The venue for the service does not matter, only the details of what will actually occur. Why it becomes so difficult to apply this in the context of technology is not necessarily clear.

6 steps to surviving a HIPAA audit
The HHS Office for Civil Rights this year will conduct audits of HIPAA covered entities and business associates to assess organizations’ compliance with the privacy, security and breach notification rules. This includes about 200 desk audits and 24 more comprehensive on-site visits, according to Hayes Management Consulting. But there are ways providers can properly prepare, according to Hayes Management.

As the cloud computing guidance states, “when a covered entity engages the services of a CSP [cloud services provider] to create, receive, maintain, or transmit ePHI (such as to process and/or store ePHI) on its behalf, the CSP is a business associate under HIPAA.” The same analysis applies downstream if a business associate engages a cloud services provider.

As already indicated, this determination is no different then what occurs any time a covered entity engages a vendor for services. The only potential difference is that many technology companies did not necessarily first offer services in the healthcare industry and are now being swept into a new regulatory scheme.

A lack of familiarity with a regulatory scheme, while daunting, should not be cause for flatly stating that the misunderstood regulatory scheme prevents innovation of use of services. Instead, the regulatory scheme may require certain operations to be performed in a different manner or services to be slightly altered. Accordingly, the regulations will rarely prevent an entire offering. Instead, the regulations will push companies to take a new angle or approach and develop new solutions.

From this perspective and in the healthcare context, HIPAA could actually be seen as aiding or encouraging innovation. While HIPAA will admittedly cause covered entities, business associates and subcontractors to jump through hoops, those hoops can result in the creation of new methods or practices that are beneficial. At the same time, a thorough working knowledge or the assistance of one who has such knowledge can enable that innovation. If one does not know the rules of the game, then it is often very hard to win the game.

Knowing the rules of the game is very important in healthcare. The stakes are too high to unintentionally or negligently not comply with requirements. The cloud computing guidance helps to hammer that lesson home. The guidance is clearly meant to address common areas of ignorance or questions with the hope of leveling and improving the playing field. The questions that are asked and answered in the guidance demonstrate this intent. By asking when HIPAA could apply to a cloud services provider, illuminating that many services are covered and then explaining what areas of HIPAA would need to be implemented, OCR is passing out a foundational playbook.

The key is establishing the baseline of knowledge. Knowledge helps dispel fear and opens many different doors. As options can start to be visualized and considered, then innovation will result. Further, not only will innovation result, but solutions will be created that can benefit a whole host of players in the targeted field.

In terms of HIPAA, the knowledge that it is both flexible and scalable (particularly in the Security Rule) is the foundation to work from. The mixture of required and addressable elements within the Security Rule permits it to be applied as best fits the particular solution. The other aspect to remember is that HIPAA compliance applies not to a tool or solution, but to the entity. The tool or solution is part of how the entity establishes compliance, but a tool or solution is not HIPAA complaint in and of itself.

Healthcare cannot afford to be shackled any longer by anyone fearing HIPAA (or other regulations) when trying to innovate. The rapidly changing landscape of healthcare, both for delivery and payment, is fueling the need for tools and solutions that can push that change. Unless and until innovators and others understand and work with the regulations that are in place, the true and necessary innovation and change will not happen. It feels as though the tide is shifting, but momentum cannot be lost. All should continue pushing through and seek to gain knowledge of the applicable regulations in order to help create a better future for healthcare.

Matthew Fisher

Matthew Fisher

Fisher is the Chair of the Health Law Group at Mirick O'Connell, a law firm based in Worcester, Mass.