Educause Security Discussion mailing list archives

Re: HIPAA Omnibus rule and Google (or any other Cloud service provider)

From: "Dr. Wole Akpose" <wole.akpose () MORGAN EDU>
Date: Fri, 13 Sep 2013 18:35:05 -0400

An interesting question.

How does the following compilation help :

https://docs.google.com/a/morgan.edu/document/d/12CfwkS7vuAd-GjJmx0ggXp1e9NETbywc9puh1lZvrt4/edit

*W. Akpose*


On Fri, Sep 13, 2013 at 5:58 PM, Mig Hofmann <mig () sfsu edu> wrote:


Related to Dan's posting of earlier this year, we are experiencing
difficulty re-negotiating contracts with our SaaS providers related to
HIPAA compliance.  The new Omnibus Rule appears to be impacting their
stance considerably (against offering much...)

Their costs and reluctance to take on architectural solutions looks like
we will have to abandon some contracts either due to increased costs,
consider all new vendors or bring back-in-house services we previously
outsourced.

For Student Health Services specifically, have any of you found SaaS
providers that you like especially for hosted medical records solutions and
on site managed security services that were reasonably priced and have
eased your HIPAA compliance burden?

Thanks

Mig

     K. Mig Hofmann
Information Security Officer, San Francisco State University
415.338.3018, mig () sfsu edu
-
*In adversity, we know our friends and one's self*.
      ------------------------------
*From:* The EDUCAUSE Security Constituent Group Listserv [
SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Dan Han [s2dhan () VCU EDU]
*Sent:* Thursday, April 11, 2013 7:19 AM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* [SECURITY] HIPAA Omnibus rule and Google (or any other Cloud
service provider)

  We are a HIPAA hybrid entity with several departments and schools,
especially on our medical campus, covered under HIPAA. We are currently in
the midst of transitioning all of our faculty and staff onto GMail and
Google Apps. To my understanding, under the new Omnibus rule, the "conduit
exception" does not apply to Google or any other vendors that store PHI for
covered entities. Therefore, any of our covered units should not migrate to
Google and we will need to keep an in-house system for these units. Has
anyone else have ran into this conundrum, and how have you addressed it?
Please advise. Thank you.

 Dan Han
Virginia Commonwealth University

Current thread:

HIPAA Omnibus rule and Google (or any other Cloud service provider) Mig Hofmann (Sep 13)
- Re: HIPAA Omnibus rule and Google (or any other Cloud service provider) Dr. Wole Akpose (Sep 13)
- Re: HIPAA Omnibus rule and Google (or any other Cloud service provider) Dan Han (Sep 15)
  - Re: HIPAA Omnibus rule and Google (or any other Cloud service provider) Mig Hofmann (Sep 17)