Re: HIPAA Omnibus rule and Google (or any other Cloud service provider)

[Mig Hofmann <mig () SFSU EDU>]

Thanks Dan

We were informed that the new HiTech Act with its focus on medical records and their subsystems within scope where 
there was previously a FERPA exemption.  In CA, from a notification and breach standpoint, we don't have an exemption 
for FERPA under CA law (as CA laws treat ePHI as PII.(

We do have a new BAA from our Legal so we will see how that works but we are having trouble finding viable integrated 
vendors in this space and wanted to see what everyone else was looking at as solution providers.

Thanks for all the responses on this!

Mig

K. Mig Hofmann
Information Security Officer, San Francisco State University
415.338.3018, mig () sfsu edu
-
In adversity, we know our friends and one's self.
________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Dan Han [s2dhan 
() VCU EDU]
Sent: Sunday, September 15, 2013 2:42 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] HIPAA Omnibus rule and Google (or any other Cloud service provider)

Mig,

I think for most part, FERPA, rather than HIPAA applies to student health records in elementary, secondary and 
post-secondary educational institutions. Although there maybe state data protection and breach laws that apply to these 
health records (not covered under HIPAA). Therefore if your only concern is Student Health Services, and if Student 
Health Services are not treating non-students, then it is likely that HIPAA does not apply in your case. You may wish 
to investigate this further.

In terms of SaaS providers for email, productivity, and collaboration services, I think Microsoft is willing to execute 
a BAA, and host data within the bounds of United States. This makes me much more comfortable than what Google offers. 
As for SaaS providers for other services, I think if they are going to be used to handle sensitive data, then you will 
really have to establish and maintain a process to evaluate them on a case by case basis.

Dan

On Friday, September 13, 2013, Mig Hofmann wrote:
Related to Dan's posting of earlier this year, we are experiencing difficulty re-negotiating contracts with our SaaS 
providers related to HIPAA compliance.  The new Omnibus Rule appears to be impacting their stance considerably (against 
offering much...)

Their costs and reluctance to take on architectural solutions looks like we will have to abandon some contracts either 
due to increased costs, consider all new vendors or bring back-in-house services we previously outsourced.

For Student Health Services specifically, have any of you found SaaS providers that you like especially for hosted 
medical records solutions and on site managed security services that were reasonably priced and have eased your HIPAA 
compliance burden?

Thanks

Mig

K. Mig Hofmann
Information Security Officer, San Francisco State University
415.338.3018, mig () sfsu edu<UrlBlockedError.aspx>
-
In adversity, we know our friends and one's self.
________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU<UrlBlockedError.aspx>] on 
behalf of Dan Han [s2dhan () VCU EDU<UrlBlockedError.aspx>]
Sent: Thursday, April 11, 2013 7:19 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<UrlBlockedError.aspx>
Subject: [SECURITY] HIPAA Omnibus rule and Google (or any other Cloud service provider)

We are a HIPAA hybrid entity with several departments and schools, especially on our medical campus, covered under 
HIPAA. We are currently in the midst of transitioning all of our faculty and staff onto GMail and Google Apps. To my 
understanding, under the new Omnibus rule, the "conduit exception" does not apply to Google or any other vendors that 
store PHI for covered entities. Therefore, any of our covered units should not migrate to Google and we will need to 
keep an in-house system for these units. Has anyone else have ran into this conundrum, and how have you addressed it? 
Please advise. Thank you.

Dan Han
Virginia Commonwealth University


--
Dan Han
Virginia Commonwealth University

Sent from my mobile device