by Paul Rubell, Esq.
New privacy regulations may impose new legal obligations on software developers, webhosts, data centers, and manufacturers of EMR devices. In a startling legal development, many cloud providers may find themselves unexpectedly caught beneath the umbrella of the federal HIPAA law.
Every technology company that directly or indirectly comes into contact with personal information about people’s healthcare conditions is subject to direct government regulation.
For instance, mobile application developers whose products help physicians to provide patient care, or to store records via EMR (electronic medical records), or to provide multi-platform access to healthcare providers at different locations may fall under the microscope of the U.S. Department of Health and Human Services (“HHS”).
Likewise, a data center may be captured in the new privacy rules if it hosts a software application that is used by hospitals, laboratories, or physician practices.
Similarly, a developer of a software platform that is used to create databases of patient healthcare information, or to format patient records, or to transmit patient information can be subject to these new rules.
Surprisingly, the privacy rules apply to hardware as well as software. Manufacturers of these devices: take note.
Products such as monitors, displays, and other medical devices that measure, store, analyze or present visual or textual patient healthcare data are also covered by these regulations. So are digital photocopiers and scanners that use hard drives to copy, store and transmit medical records.
[Image republished from http://bit.ly/RwuaJ9 © 2012-2013 Xtelligent Media, LLC]
Before 2013, none of these categories of cloud providers were the subject of any government privacy regulation. It seemed too far-fetched to connect generic cloud technology with healthcare or patient data.
Before 2013, even cloud providers and developers who operated in the healthcare space were treated merely as “business associates” or “subcontractors” under federal privacy law. As a formality, cloud providers were required to sign a contract, agreeing to keep patient data private and secure. These standardized contracts are known as business associate agreements (“BAA”). BAA agreements are generally off-the-shelf “boilerplate” documents that are frequently appended at the end of license agreements, work orders, scope of work documents, and the like.
Before 2013, a tech provider’s primary obligation in case a patient’s information were compromised would be to assist its customer (the healthcare provider) to mitigate the disclosure’s impact. As a result of the limited risk and the routine nature of signing “form” BAA contracts, cloud providers and software developers generally did not give much thought to signing BAA’s, focusing instead on selling their services.
Enter 2013. The long arm of the HIPAA law and HHS jurisdiction has dramatically changed the landscape.
Under the new healthcare regulations, business associates and subcontractors are treated in exactly the same way as hospitals, physician practices, laboratories, billing companies, and insurance companies. An entirely new universe of cloud providers and software and mobile app developers has today become subject to direct federal regulation and oversight.
It has never been more important for technology companies to pay careful attention to these new privacy and security rules.
What does this mean for you?