Re: HIPAA Omnibus rule and Google (or any other Cloud service provider)

[Dan Han <s2dhan () VCU EDU>]

Mig,

I think for most part, FERPA, rather than HIPAA applies to student health
records in elementary, secondary and post-secondary educational
institutions. Although there maybe state data protection and breach laws
that apply to these health records (not covered under HIPAA). Therefore if
your only concern is Student Health Services, and if Student Health
Services are not treating non-students, then it is likely that HIPAA does
not apply in your case. You may wish to investigate this further.

In terms of SaaS providers for email, productivity, and collaboration
services, I think Microsoft is willing to execute a BAA, and host data
within the bounds of United States. This makes me much more comfortable
than what Google offers. As for SaaS providers for other services, I think
if they are going to be used to handle sensitive data, then you will really
have to establish and maintain a process to evaluate them on a case by case
basis.

Dan

On Friday, September 13, 2013, Mig Hofmann wrote:
> Related to Dan's posting of earlier this year, we are experiencing
> difficulty re-negotiating contracts with our SaaS providers related to
> HIPAA compliance.  The new Omnibus Rule appears to be impacting their
> stance considerably (against offering much...)
>
> Their costs and reluctance to take on architectural solutions looks like
> we will have to abandon some contracts either due to increased costs,
> consider all new vendors or bring back-in-house services we previously
> outsourced.
>
> For Student Health Services specifically, have any of you found SaaS
> providers that you like especially for hosted medical records solutions and
> on site managed security services that were reasonably priced and have
> eased your HIPAA compliance burden?
>
> Thanks
>
> Mig
>
>      K. Mig Hofmann
> Information Security Officer, San Francisco State University
> 415.338.3018, mig () sfsu edu <javascript:_e({}, 'cvml', 'mig () sfsu edu');>
> -
> *In adversity, we know our friends and one's self*.
>       ------------------------------
> *From:* The EDUCAUSE Security Constituent Group Listserv [
> SECURITY () LISTSERV EDUCAUSE EDU <javascript:_e({}, 'cvml',
> 'SECURITY () LISTSERV EDUCAUSE EDU');>] on behalf of Dan Han [s2dhan () VCU EDU<javascript:_e({}, 'cvml', 's2dhan () 
> VCU EDU');>
> ]
> *Sent:* Thursday, April 11, 2013 7:19 AM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU <javascript:_e({}, 'cvml',
> 'SECURITY () LISTSERV EDUCAUSE EDU');>
> *Subject:* [SECURITY] HIPAA Omnibus rule and Google (or any other Cloud
> service provider)
>
>   We are a HIPAA hybrid entity with several departments and schools,
> especially on our medical campus, covered under HIPAA. We are currently in
> the midst of transitioning all of our faculty and staff onto GMail and
> Google Apps. To my understanding, under the new Omnibus rule, the "conduit
> exception" does not apply to Google or any other vendors that store PHI for
> covered entities. Therefore, any of our covered units should not migrate to
> Google and we will need to keep an in-house system for these units. Has
> anyone else have ran into this conundrum, and how have you addressed it?
> Please advise. Thank you.
>
>  Dan Han
> Virginia Commonwealth University


-- 
Dan Han
Virginia Commonwealth University

Sent from my mobile device