Posted on August 4, 2011 by Lisa Baird

Transcending the Cloud: A Legal Guide to the Risks and Rewards of Cloud Computing - Health Care in the Cloud

This post was written by Vicky G. Gormanly and Joseph I. Rosenbaum.

The interest level in storing health records in digital format has grown rapidly with the lower cost and greater availability and reliability of interoperable storage mechanisms and devices. Health care providers like hospitals and health systems, physician practices, and health insurance companies are among those most likely to be considering a cloud-based solution for the storage of patient-related health information. While lower cost, ubiquitous 24/7 availability, and reliability are key drivers pushing health care providers and insurers to the cloud, a number of serious legal and regulatory issues should be considered before releasing sensitive patient data into the cloud. The issues are highlighted in the Health Care chapter  of our Cloud Computing White Paper.

Tags: , , , , , , , ,
Posted on September 29, 2010 by Steven B. Roosa

Authentication Practices and Secure Communications in the Life Sciences and Health Care Industry

Information security is paramount in the life sciences and health care industry because it is subject to affirmative regulatory requirements regarding the physical and technical safeguards used to secure electronic information. It is therefore troubling that the Internet protocols that are universally used to transmit encrypted information employ an authentication process (to verify the endpoints of a communication) that is deeply flawed. The authentication process requires the parties to the communication to trust literally hundreds of unknown third parties referred to as "certificate authorities." The closer one looks at the identity of these third parties and the processes used to carry out the authentication process, the worse it gets. It is time for GCs to get involved because Encryption is Not Enough...

Tags: , , , , , ,
Posted on September 23, 2009 by Brad Rostolsky

New HHS Regulations Impose Federal Security Breach Notification Requirements

The recently enacted Health Information Technology for Economic and Clinical Health (“HITECH”) Act, which amends various aspects of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), including the associated Privacy and Security Rules, marks a significant change in how covered entities and their business associates must respond to security breaches under HIPAA.

On August 24, 2009, the U.S. Department of Health and Human Services (“HHS”) issued its interim final rule (“the Rule”) regarding a covered entity’s obligation to notify individuals when their unsecured protected health information (“PHI”) is breached. Furthermore, and depending on the nature of the security breach, the Rule also requires a more global notification whereby covered entities must post information regarding certain breaches in newspapers and on the HHS website.

The HHS Rule is effective on September 23, 2009, however, HHS will not impose sanctions for failure to provide the required notices for breaches that are discoverable before February 22, 2010.

For additional details, read the full alert

Tags: , , , ,