About Seton Hall Law

Seton Hall Law Professors Endorse Higher Security and Privacy Standards for Health Data, Issue White Paper on the Future of HIPAA in the Cloud

Study Includes Recommendations by Leading Law Professors on How American Health Privacy Rules Must Be Interpreted and Amended to Address the New Data Challenges for Healthcare Providers and Patients

Newark, NJ - As current health information technology rules within the Health Insurance Portability and Accountability Act (HIPAA) – such as the Omnibus Rule released in January 2013 – are being clarified by relevant authorities and followed by firms, Seton Hall Law Professors Frank Pasquale and Tara Adams Ragone have collaborated on a timely paper, “The Future of HIPAA in the Cloud.” This needed research examines the role of cloud computing in healthcare, patient health information, and data security for the cloud. It offers policy recommendations on how to reduce the risk of privacy breaches by addressing the dangers caused by inappropriate data access, storage transmission, and analysis.

Professor Pasquale, Schering-Plough Professor in Health Care Regulation and Enforcement, remarked, “There are multiple uses as well as misuses of health information compiled about patients, the insured, research subjects, physicians, hospitals and populations. The increasing use of cloud computing in the healthcare space raises many questions about data security. Even though the benefits of digitized records are numerous – productivity gains, patient-doctor access to records including medical history, cost savings – we must not forget about the importance of confidentiality and security. Indeed, our recommendations should also help assure the accuracy of health information, promoting goals of innovation, access, and cost-control.”

In the paper, the authors survey important areas of health privacy regulation and data protection standards. Upon describing how cloud computing is currently being used in healthcare, they further examine nascent and emerging cloud applications. While current regulation addresses many of these scenarios, there are key decision points ahead, which the authors explore, to create a more secure user experience. They close with concrete recommendations for future policy, and their analysis takes into account concerns from diverse U.S. stakeholders and offers insight from lessons learned from both state law and international policy.

“Technology is developing so rapidly that it is difficult for policy safeguards for protecting privacy to keep pace. We took a fresh look at the value of cloud computing models in healthcare delivery and examined what covered entities are doing, and what patients and consumers should expect in maintaining privacy. We concluded that we must do more, proactively, to assure that health privacy is constantly evaluated in an era of increasing use of cloud computing,” offered Professor Ragone, Research Fellow and Lecturer in Law.

Specific recommendations include:

  1. Increasing Business Associate Compliance: Mandatory Business Associate Agreement Terms, Education, and Increased Enforcement: The Omnibus HIPAA Rule gave “teeth” to HIPAA by extending liability for privacy breaches down the information chain to business associates – including any entity that creates, receives, maintains, or transmits protected health information on behalf of a covered entity. However, many cloud service providers dismiss Health and Human Services’ (HHS) enforcement authority. Regulators should make this issue a priority, particularly as they implement audits for covered entities and business associates such as third-party servicers.
  2. Study Assessing Feasibility of Limited Safe Harbor for Covered Entities Engaged in Best Practices: HHS should address the bargaining power of cloud service providers and encourage “downstream” supervision by requiring Business Associate Agreements (BAAs) to include terms that preserve a monitoring role for covered entities and third-party servicers. If there are violations, HHS should evaluate amending the rules to state clearly whether a covered entity or third-party servicer would be held liable if an agent disregards instructions specifically laid out within the BAA.
  3. Increasing Patient Empowerment – From Transparency to Intelligibility to Accountability: Many aspects of the Omnibus HIPAA Rule were aimed at assuring that patients are able to understand (and control) some of the data kept about them by covered entities and third-party servicers; however, it does not go far enough. Standards and best practices still need to be adopted to assure optimal realization of these rights by consumers. Moreover, certain uses of health information by employers and other important decision-makers need to be prohibited altogether.

The full paper, “The Future of HIPAA in the Cloud,” may be found here: http://law.shu.edu/hipaacloud

The Seton Hall Law Center for Health & Pharmaceutical Law & Policy advances scholarship and recommendations for policy on the varied and complex issues that emerge within pharmaceutical and health law. Additionally, the Center is a leader in providing compliance training on the wide-ranging state, national, and international mandates that apply to the safety, promotion, and sale of drugs and devices. Seton Hall University School of Law, New Jersey's only private law school and a leading law school in the New York metropolitan area, is dedicated to preparing students for the practice of law through excellence in scholarship and teaching with a strong focus on experiential learning. Seton Hall Law School offers day and evening programs for J.D., M.S.J. and LL.M. degree candidates, as well as an Online Learning division enabling professionals to earn graduate certificates. Founded in 1951, Seton Hall Law School is located in Newark. For more information, visit law.shu.edu.