College of Law > About > Centers & Institutes > Mary and Michael Jaharis Health Law Institute > E-Pulse Newsletter > big-data-omnibus-hipaa-rule
By Andrea Torgimson /
September 1, 2015 /
Posted in: HLI News /
As the world becomes more connected, and individuals lives
more public through the social media, the protection of personal privacy
becomes a major concern for those in the healthcare field. The health care industry is moving large
amounts of patient data, also known as big data, into electronic health records
(EHRs) and personal health information (PHI) and storing the information with
remote cloud services. The switch to electronic data gathering and cloud
storage comes with both exciting advances in health care but also presents a
substantial risk to personal privacy. The Health Insurance Portability and
Accountability Act (HIPPA) and the Health Information Technology for Economic
and Clinical Health Act (HITECH) have aimed to safe guard the mass of
information technology that is gathered in the health industry. However, the
question remains – is it enough?
America has been slow to recognize the individual right to
health information privacy compared to other industrialized countries, most
notably the European Union (EU). The EU established a basic right to
personal privacy as a fundamental value at the Council of Europe Convention in 1950,
which automatically encompassed health information when the need arose.
Conversely, America established the right to privacy through common law and
slowly covered more facets under that basic right to privacy. It was not
until the passage of HIPPA as amended by HITECH that America recognized the
right to health information privacy. The historical differences lead to two
very different viewpoints of how health information would be perceived. America assumes that the information will be
gathered and then attempts to protect the individual down the line through a
down stream model. On the other hand, the EU does not make this assumption
and attempts to protect the individual from the accumulation process all-together.
Under the American framework, health information was
originally stored on site with the health care provider. However, this
method quickly became expensive and hard to manage, so health providers began
using cloud storage with off site third party carriers. Under the omnibus
HIPPA rule, the third party entities, or business associates (BA), are
considered to be down stream from the health care providers and fall under the
realm of HIPPA liability. The HIPPA rule also proscribes liability to not
only BA's who access and use data regularly, but also those that simply
maintain the health information. The heightened security level hinges on
the persistence of custody, not the degree of access. Further downstream,
HIPPA also covers the BA's subcontractors under the scope of liability as long
as they are a person whom a [BA] delegates a function, activity, or service.
There is one major uncertainty to the omnibus HIPPA rule in regards to
downstream liability: if the cloud service provider maintains encrypted health
information without key access, it is unclear if the company will fall under
On the other hand, the EU protects the individuals' privacy
from the beginning by carefully considering and enumerating the circumstances
where PHI can be gathered. Instead of encouraging complete medical records
to be stored, the EU deploys modules pertaining to different types of
information. For instance, a “vaccination module” will store information
that is only relevant to vaccinations. Further, the modules have strict
guidelines on who can access them and for what reason as well as how long the
data controller can maintain the PHI.
HIPPA and the amended HITECH laws have brought America
closer to protecting personal privacy, but there is still a long way to go.
The American down-stream protection scheme may never fully protect
individuals. The more people who are
allowed access to PHI, the more chances a breach will occur. The solution perhaps rests in the EU
framework which encourages protection from the very start by limiting what can
be gathered and where it is stored.
Andrea Torgrimson is a current student at DePaul University
College of Law. Ms. Torgrimson received
her Bachelor of Arts in Political Science from The University of New
Mexico. She will obtain her J.D. Degree
with an emphasis in health care law in 2017.