Guest post by Travis Good, M.D., CEO and co-founder of Catalyze, Inc.
Even if a bit delayed, the power and value of cloud-based technologies is starting to seep into healthcare. With each new cloud-based technology piloted or taken to scale by a healthcare organization, other institutions and corporations become more willing to roll the dice on deploying cloud-based technology. While still slow, it is happening, but not where you may think. Instead of found in the typical core applications of EHR or practice management systems, we find cloud-based technologies being introduced into the innovative health technology areas of virtual care delivery and patient self-reporting. Those areas are breaking down the barriers to cloud adoption in healthcare and that pace is increasing.
Cloud-based technology acceptance, along with everything else in the healthcare industry is moving faster than ever before. Accountable care, bundled payments, patient satisfaction, continuous care and the consumerization of healthcare are catalyzing changes to a very large, slow moving, highly regulated and risk averse industry. Technology and technology enabled services are essential for riding out these waves of change.
Every healthcare segment has seen these paradigm shifts and is trying to carve out a piece of the new pie. Large medical centers and health systems want to commercialize tools created in-house. Payers are building technology geared toward new forms of care delivery and price transparency, while biopharma is building technology to deliver continuous care powered by data from its core products – devices and medicines. All three of these healthcare segments can build technologies that utilize cloud computing and thus reap the following benefits:
- A more nimble organization
- Consumption of only the resources needed
- Access to technology and apps across geographic barriers
Compliance and Cloud Computing
With recent changes to HIPAA that went into affect as part of the HITECH and HIPAA Omnibus Rule in 2013, a surge in compliance interest has developed, especially with compliance as it relates to cloud computing. The HIPAA Omnibus Rule created a new segment within the string of compliance leading back to covered entities. The new “subcontractor” segment is something of which every healthcare compliance officer must be aware. In much the same way as a business associate processes, transmits or stores ePHI for a “covered entity,” a subcontractor will also process, transmit, or store ePHI for “business associates.” And, subcontractors, like business associates, are required to sign business associate agreements (BAAs). These agreements outline the obligations of each party in meeting different aspects of HIPAA compliance rules, and delegate the risk based on different types of possible ePHI breaches.
In creating this new “subcontractor” entity, the Omnibus Rule accounted for the paradigm shift in technology development and cloud computing. The most commonly used example of a subcontractor is found in a cloud hosting provider like Amazon (AWS) or Rackspace; yet, many other types of services exist that could be considered subcontractors.
As data and services are being accessed via Web services (typically APIs), a huge number of BLANK-as-a-Service offerings have emerged. Many modern applications utilize third-party APIs for features and functionality to speed time-to-market, while adding value to users. Using simple to consume APIs, modern applications can tap into databases, messaging (SMS, Push, email or voice), usage metrics, logging, customer support, data sources, backup and so forth.
When applications use APIs, certain data is passed back and forth to third-party companies. According to the new Omnibus Rule, if ePHI data is passed to these third party API providers, those third party vendors are “subcontractors” and thus required to sign BAAs. Things become much more murky when IP addresses are combined with personal information such as a providers name, date of service or payment for healthcare service – all of which can be considered ePHI. Not surprisingly, compliance and security officers abhor murkiness when assessing a potential project or vendor.
As commonly stated, healthcare is a risk averse industry and with good reason. Adding complexity around how and where data is flowing restricts organizations and software developers in building modern healthcare technology.
As organizations work with third-party subcontractors, what we’re starting to see, and hope to see more of, are chains of BAAs – from a covered entity to a business associate with any number of subcontractors tied to that business associate. Set up like a tree with the covered entity being the trunk, business associates branch off that trunk into limbs of services with a multitude of subcontractors that shoot forth like twigs serving the business associates.
With this hierarchy of relationships and BAAs, all entities are shouldering some of the risk and responsibilities for certain requirements of HIPAA. Typically it will be the covered entity working through its compliance and/or security office that will ultimately determine what is acceptable for its business associates, and in turn, what is acceptable for that business associates’ subcontractors.
Two Factors Curtailing Compliance and Innovation
While all these HIPAA-based relationships should be defined using business associate agreements, these remain complicated relationships, with chains of legal documents to assess. Adding to the complexity is a lack of standardization around BAAs. To complicate matters further, some cloud-based infrastructure providers like AWS require a non-disclosure agreement (NDA) before showing you its BAA. Some cloud-based vendors make it even more convoluted by customizing BAAs for certain customers. The end result – every contract must be evaluated in arduous detail.
The lack of transparency and standardization with BAAs ultimately limits the adoption of compliant cloud-based technologies in healthcare because of the added risks. As a result, the pace of new technology development and innovation is slowed.
In time, more transparency will come into the legal process of working with compliant cloud-based vendors. Healthcare organizations and technology vendors may soon be able to move at a faster pace without fear of compliance risk, while meeting the changing demands coming to healthcare. When healthcare harnesses the value, flexibility and speed of cloud computing fully, it will be exciting to watch.