Yes...that's correct "Cloud Computing" cited. Read on.
The FTC issued its final rule on Health Breach Notifications on August 17th, after soliciting comments over the past several months. The rule applies to all "Vendors of Personal Health Records" as defined in the ruling.
Definition: "Vendor of Personal Health records” is “an entity, other than a HIPAA-covered entity or an entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity, that offers or maintains a personal health record (PHR).”
In addition, the ruling addresses some of the realities of today's market and the use of third party service providers, as well as entities that leverage the use of web based technologies to offer products and services to manage/process PHR. In reading through the 88 page ruling (AAGH!), I found it interesting that there was a specific reference to the use of cloud computing. The ruling addresses the breach notification requirements for cloud computing providers in the context of "third party service providers".
Listed below is the section of the ruling that references cloud computing. The "one commenter" is a reference to an entity that made comments to the ruling during the solicitation of public comments.
"From Proposed section 318.3: Breach notification requirement" paragraph...
First, one commenter noted that a third party service provider may be unaware that it is dealing with a vendor of personal health records. For example, a cloud computing service provider may offer computing power and storage without knowing whether customers use them to offer PHRs. The Commission agrees with this comment and, accordingly, adds the following sentence to paragraph 318.3(b): “For purposes of ensuring implementation of this requirement, vendors of personal health records and PHR related entities shall notify third party service providers of their status as vendors of personal health records or PHR related entities subject to this Part.”
Second, one commenter noted that some third party service providers may have multiple vendors of personal health records as clients. [M. Brooks: Sounds just like cloud computing service provider!] If the third party service provider experiences a breach, it should not be required to identify every individual whose information was breached to each of its clients, regardless of whether the individual is a customer of the client. This could result in the third party service providers’ sharing customer lists with competing vendors of PHRs, and could undermine the privacy of such customers. The Commission agrees. Thus, instead of requiring the third party service provider to identify each “individual” whose information was breached, the Commission’s final rule requires the service provider to identify each “customer of the vendor of personal health records or PHR related entity” whose information was breached.
85 Cloud computing is the provision of Internet-based computer services. Cloud computing provides businesses and consumers with access to software, data storage, and infrastructure services that are hosted remotely.
Here is the FTC press release, FTC Health Breach Notification Rule News. Also, you can find the complete FTC ruling here 16. C.F.R. Part 318: Notice of Proposed Rulemaking and Request for Public Comments Concerning Proposed Health Breach Notification Rule, Pursuant to the American Recovery and Reinvestment Act of 2009.
Suffice it to say, companies or vendors that are evaluating or making use of cloud computing for data that includes PHRs, will now be required to notify their cloud computing service providers. Hopefully this isn't new news for vendors of PHRs!
Second, it is clear that the FTC understands enough how companies are leveraging cloud computing providers and industry may see enforcement action in the cloud computing domain. The Rule will take effect 30 days after publication in the Federal Register and the FTC said it would begin enforcement 180 days after publication.
Comments