HIPAA Update Ushers In Broad Security, Reporting Regime

With last week's massive overhaul of the Health Insurance Portability and Accountability Act, federal health officials imposed heightened data security and breach reporting obligations on health care providers, insurers and their business associates that sent them all scrambling to rework contracts and establish procedures to meet the expansive new requirements.

While business associates that operate exclusively or primarily in the health care space should have an easier time transitioning, the regulation also draws in subcontractors that could include cloud providers that may not even be aware that they are storing protected health information, making compliance with the rule more difficult, attorneys noted.

"Some entities may be surprised to realize that they are business associates" Data Privacy and Security team Co-Chair Shannon Hartsfield said. "The preamble indicates that an entity such as a document storage company that 'maintains' this information on behalf of a covered entity is a business associate, even if the entity does not actually view the protected health information."

READ: HIPAA Update Ushers In Broad Security, Reporting Regime