Stan. Tech. L. Rev., Vol.17 pp.595-809, 2014
... Given the current implementation of Meaningful Use rules for health information technology and the Omnibus HIPAA Rule in health care generally, the stage is now set for a distinctive law of "health information" to emerge. ... The diffusion of electronic health records (EHRs) has now reached a critical mass, assuring that more healthcare entities are dealing with digitized records of protected health information (PHI). ... Provisions Allocating Responsibility and Liability to Business Associates HIPAA's Privacy Rule has long required CEs to have contracts or other arrangements with BAs "to ensure that the business associates safeguard protected health information, and use and disclose the information only as permitted or required by the Privacy Rule." ... First, it expressly includes " a Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires access on a routine basis to such protected health information." ... The Omnibus HIPAA Rule also makes plain that " a person that offers a personal health record to one or more individuals on behalf of a covered entity" also is a business associate for purposes of HIPAA obligations and liability. ... HIPAA in the Cloud from a Patient's Perspective While patients anticipate that their healthcare provider will usually engage in due diligence before selecting a cloud service provider, they nevertheless appreciate (if sometimes on a visceral or intuitive level) the risks involved in cloud computing scenarios. ... While covered entities and cloud service providers seek legal guidance as they work together to safeguard health data, patients have an interest in assuring that their privacy is protected. ... For example, HHS could affirm the value of CEs and upstream BAs vetting potential vendors prior to contracting to evaluate their qualifications and compliance with HIPAA; using a BAA that includes all terms required by HHS; actively monitoring the agent's performance; providing appropriate and ongoing training and instruction to cloud service providers; and responding to signals of possible violations. ... Nor did Congress adequately appreciate, in HITECH, the degree to which big data companies' use of health-inflected data could eventually render HIPAA irrelevant by fueling the creation of medical reputations unmoored from covered medical records. ... In order to address these twenty-first century challenges to health privacy, policymakers should take two steps: rendering existing data about information practices more intelligible to consumers, and presenting in plain terms to Congress the types of privacy challenges enabled by the deployment of big data.
Inappropriately; Accountability; Centralization; Specialization; Inappropriate; Deduplication; Communication; Transmission; Reputational; Consolidated; Computer & Internet Law; Healthcare Law; Pensions & Benefits Law; Public Health & Welfare Law
Academic Law Reviews (LexisNexis®)
View record in LexisNexis®(subscribers only)