Contact Us
Categories
- Medical Spas
- medical billing
- No Surprises Act
- Mandatory vaccination policies
- Workplace health
- Coronavirus Aid, Relief and Economic Security Act
- Code Enforcement
- Department of Labor ("DOL")
- Employment Law
- FFCRA
- CARES Act
- Nursing Home Reform Act
- COVID-19
- SB 150
- Acute Care Beds
- Clinical Support
- Coronavirus
- Emergency Medical Services
- Emergency Preparedness
- Families First Coronavirus Response Act
- Family and Medical Leave Act (“FMLA”)
- KBML
- medication assisted therapy
- Department of Health and Human Services
- Legislative Developments
- Corporate
- United States Department of Justice ("DOJ")
- Employee Contracts
- Non-Compete Agreement
- Opioid Epidemic
- Sexual Harassment
- Health Resource and Services Administration
- Litigation
- Medical Malpractice
- House Bill 333
- Senate Bill 79
- locum tenens
- Physician Prescribing Authority
- Senate Bill 4
- Chronic Pain Management
- HIPAA
- Prescription Drugs
- "Two Midnights Rule"
- 340B Program
- EHR Systems
- Hospice
- Kentucky minimum wage
- Minimum wage
- Skilled Nursing Facilities (“SNFs”)
- Uncategorized
- Drug Screening
- Electronic Health Records (“EHR")
- ICD-10
- Mental Health Care
- Primary Care Physicians ("PCPs")
- Urinalysis
- Affordable Insurance Exchanges
- Compliance
- Department of Health and Human Services (HHS)
- Federally Qualified Health Centers (“FQHCs”)
- Fraud
- Health Care Fraud
- HIPAA Risk Assessment
- HPSA
- KASPER
- Kentucky Board of Medical Licensure
- Kentucky’s Department for Medicaid Services
- Office for Civil Rights ("OCR")
- Office of Inspector General of the United States Department of Health and Human Services (OIG)
- Pharmacists
- Physician Assistants
- Qui Tam
- Rural Health Centers (“RHCs”)
- Stark Laws
- Telehealth
- Accountable Care Organizations (“ACO”)
- Affordable Care Act
- Alternative Payment Models
- Anti-Kickback Statute
- Centers for Medicare & Medicaid Services (“CMS”)
- Certificate of Need ("CON")
- Charitable Hospitals
- Data Breach
- Electronic Protected Health Information (ePHI)
- False Claims Act
- Fee for Service
- Health Information Technology for Economic and Clinical Health Act (HITECH Act)
- Health Insurance Portability and Accountability Act of 1996 (HIPAA)
- Health Professional Shortage Area ("HPSA")
- Hospitals
- HRSA
- Limited Services Clinics
- Medicaid
- Medical Staff By-Laws
- Medically Underserved Area ("MUA")
- Medicare
- Mid-Level Practitioners
- Part D
- Patient Protection and Affordable Care Act (“ACA”)
- Rural Health Clinic
- American Telemedicine Association (“ATA”)
- Criminal Division of the Department of Justice (“DOJ”)
- Health Care Fraud Prevention and Enforcement Action Team (“HEAT”)
- Hydrocodone
- Kentucky Board of Nursing
- Kentucky Pharmacists Association
- Qualified Health Care Centers (“FQHC”)
- Telemedicine
- Webinar
- Agreed Order
- APRNs
- Chain and Organization System (“PECOS”)
- Douglas v. Independent Living Center of Southern California
- Drug Enforcement Agency ("DEA")
- Hinchy v. Walgreen Co.
- Jimmo v. Sebelius
- Maintenance Standard
- Overpayments
- United States ex. Rel. Kane v. Continuum Health Partners
- Vitas Innovative Hospice Care
- 2014 Medicare Physician Fee Schedule (“PFS”)
- 501(c)(3)
- All-Payer Claims Database ("APCD")
- Chiropractic services
- Chronic Care Management
- Clinical Laboratory Improvement Amendments of 1988 (“CLIA”)
- Compliance Officer
- Compounding
- CPR
- Drug Quality and Security Act (“DQSA”)
- Emergency Rooms
- Enrollment
- Essential Health Benefits
- House Bill 3204
- ICD-9
- Kentucky Senate Bill 7
- Medicare Part D
- Minors
- New England Compounding Center ("NECC")
- Ophthalmological services
- Outsourcing facility
- Physician Compare website
- Re-validation
- Sustainable Growth Rate (“SGR”)
- Texting
- Affinity Health Plan
- Appeal
- Arbitration
- Cadillac tax
- Centers for Disease Control and Prevention
- Community health needs assessment (“CHNA”)
- Condition of Participation ("CoP")
- Denied Claims
- Department of Medicaid Services’ (“DMS”)
- Dispenser
- Employer Mandate
- Federation of State Medical Boards (“FSMB”)
- Food and Drug Administratio
- Form 4720
- Grace Period
- Health Professional Shortage Areas (“HPSA”)
- HealthCare.gov
- Home Health Prospective Payment System
- Home Medical Equipment Providers
- Hospitalists
- Individual mandate
- Inpatient Care
- Kentucky Health Benefit Exchange
- Kentucky Medical Practice Act
- Kindred v. Cherolis
- Kynect
- Licensure Requirements
- LLC v. Sutter
- Long-term care communities
- Long-Term Care Providers ("LTC")
- Low-utilization payment adjustment ("LUPA")
- Medicare Shared Saving Program (MSSP)
- Mobile medical applications ("apps")
- Model Policy for the Appropriate Use of Social Media and Social Networking in Medical Practice (“Model Policy”)
- National Drug Code ("NDC")
- National Institutes of Health
- Network provider agreement
- Nonprofit hospitals
- Nonroutine medical supplies conversion factor (“NRS”)
- Payors
- Personal Service Entities
- Physician Payments
- Physician Recruitment
- Physician shortages
- Ping v. Beverly Enterprises
- Power of Attorney ("POA")
- Prescriber
- Qualified Health Plan ("QHP")
- Quality reporting
- Residency Programs
- Social Media
- Spousal coverage
- State Health Plan
- Upcoding
- UPS
- “Superuser”
- "Plan of Correction"
- Advanced Practice Registered Nurses
- Audit
- Autism/ASD
- Business Associate Agreements
- Business Associates
- Call Coverage
- Daycare centers
- Decertification
- Division of Regulated Child Care
- Doe v. Guthrie Clinic
- EHR vendor
- Employer Group Health Plans
- ERISA
- Fair Labor Standards Act (FLSA)
- False Billings
- Genetic Information Nondiscrimination Act ("GINA")
- Group Purchasing Organizations ("GPO")
- Health Reform
- House Bill 104
- Intermediate Sanctions Agreement
- Kentucky House Bill 159
- Kentucky House Bill 217
- Licensed practical nurses (LPN)
- List of Excluded Individuals and Entities
- Meaningful use incentives
- Medicare Administrative Coordinators
- Medicare Benefit Policy Manual
- Nurse practitioners (NP)
- Office of the National Coordinator for Health Information Technology (“ONC”)
- Part A
- Part B
- Patient Autonomy
- Patient Privacy
- Personal Health Information
- Provider Self Disclosure Protocol
- Registered nurses (RN)
- Self-Disclosure Protocol
- Senate Bill 39
- Senate Finance Committee Report
- State Medicaid Expansion
- Statement of Deficiency ("SOD")
- Trade Association Group Coverage
- Abuse and Waste
- Center for Disease Control
- Compliance Programs
- Consumer Operated and Oriented Plan programs (“CO-OPS”)
- Critical Access Hospitals (“CAHs”)
- Essential Health Benefits (“EHBs”)
- Healthcare Information and Management Systems Society (HIMSS)
- Kentucky Cabinet for Health and Family Services
- Kentucky Health Care Co-Op
- Kentucky Health Cooperative (“KYHC”)
- Kentucky Primary Care Centers (“PCCs”)
- Managed Care Organizations (“MCOs”)
- Medicare Audit Improvement Act of 2012
- Occupational Safety and Health Administration (“OSHA”)
- Recovery Audit Contractors (“RAC”)
- Small Business Health Options Program (“SHOP”)
- Sunshine Act
- Employee Agreement
- Free Conference Committee Report
- Health Care Fraud and Abuse Control Program
- House Bill 1
- House Bill 4
- Kentucky “Pill Mill Bill”
- Pain Management Facilities
- Health Care Law
- Health Insurance
- Healthcare Regulation
McBrayer Blogs
IS HIPAA IN THE CLOUDS?
Virtual or “cloud” data storage is an increasingly popular method for storing data electronically in a safe and yet conveniently accessible manner that may also represent a cost savings over traditional onsite data storage options. Health care providers, including hospitals, pharmacies and physicians, have been slow to avail themselves of the benefits of “cloud computing” due in part to concerns about whether the cloud offers the rigorous privacy and security safeguards required for storing electronic protected health information (ePHI) under Federal and State privacy laws, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH Act) and implementing regulations.
Traditional Onsite Storage.
Health information privacy laws require covered health care providers and payors as “covered entities” to protect the confidentiality, integrity and availability of ePHI.[i] Traditionally, this has involved storing patient records and other PHI onsite, on systems controlled by the covered entity.
The benefit of onsite storage is that the covered entity can implement and enforce policies and procedures to control access and ensure confidentiality of the stored PHI, literally placing it under “lock and key.” The downside of onsite storage is that the PHI is housed in one location, vulnerable to power outages, fire, hurricanes and other natural disasters, and as the volume of PHI grows, maintaining enough onsite storage capacity may become costly. Additionally, such onsite storage may present significant obstacles for the covered entity when attempting to access PHI from other practice locations.
The Cloud Storage Cometh.
Cloud computing is similar in many ways to a data warehousing solution and generally means that data in the “cloud” is stored on a network of servers that provide storage capacity for a “virtual environment” managed by the cloud storage vendor. Data stored in the cloud is accessible anywhere there is an internet connection, and the cloud vendor typically maintains firewalls, backup and disaster recovery procedures, alternate power management and other mechanisms to significantly reduce any possibility of data loss. The cloud vendor also controls who has access to the data, where the data is physically located and how the data is segregated from other data on the shared server network.
The servers used for cloud storage may be distributed over a number of physical locations (including internationally) and the virtual environment is accessed, in a “public cloud”, by multiple clients of the cloud vendor that share space on the network of servers. The cloud vendor is responsible for ensuring careful segregation of each client’s data to prevent unauthorized access by one client to another client’s data, and for security purposes. The cloud storage model is more vulnerable to attacks than onsite storage as hackers may attempt to access the data from the internet and are incentivized to do so with a significant amount of data from multiple parties being stored on the shared server network. Along with firewalls, antivirus software and a number of other defensive tools available to cloud vendors, segregating client data reduces vulnerability to successful breach.
In this piece we focus on the “public” or “shared” cloud model, with multiple clients sharing space on the cloud server network. “Private” clouds are also available that offer dedicated cloud server space for a particular client.
Deciding to utilize a cloud storage option whether “public” or “private” to store ePHI is not the final step in the process. Selecting the right cloud vendor has its own set of considerations. Check back on Thursday, when we discuss Floating Forward with Cloud Computing.
Services may be performed by others.
This article does not constitute legal advice.
[i] 45 C.F.R. § 164.306(a).