Organizations handling protected health information have until Sept. 23 to comply with new security and privacy requirements that were included as part of the Health Information Technology for Economic and Clinical Health (HITECH) Act.
After Sept. 23, all covered entities, including online storage vendors and cloud service providers, will be subject to new breach notification standards and limitations on how they can use and disclose PHI. They will also be required to ensure that their business associates and subcontractors are compliant with the privacy and security requirements of the Health Insurance Portability and Accountability Act (HIPAA). The HITECH Act amended portions of HIPAA by adding new security and privacy provisions on patient information.
In addition, covered entities will be required to have updated patient privacy notices in place that state the patient's rights over the data and how the data can be used and shared.
Unlike the original HIPAA privacy and security rules, which primarily applied to healthcare organizations and insurance companies, the new HIPAA Omnibus rules apply to business associates and their subcontractors. Under the omnibus rules, a business associate of a healthcare provider, such as a cloud service provider, is directly liable for protecting any patient data it handles, even if the vendor is just storing the data.