LISTSERV - RECMGMT-L Archives - LISTSERV.IGGURU.US

RECMGMT-L Archives

Records Management

RECMGMT-L@LISTSERV.IGGURU.US

	LISTSERV Archives
	RECMGMT-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Forum View Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: RAINdrip: Interesting concept "insure data in the Cloud" hee hee hee
From:	Larry Medina <[log in to unmask]>
Reply To:	Records Management Program <[log in to unmask]>
Date:	Tue, 27 Oct 2009 18:21:26 -0400
Content-Type:	text/plain
Parts/Attachments:	text/plain (60 lines)

I'll take a stab at Ken's question, because it's less 'theoretical' in
nature  (doesn't require any Depends)  =) 

>To carry forward into this harrowing adventure, allow me to posit an
>additional scenario.
>
>You're a local regional hospital who is storing electronic patient
>records (HIPAA regulated PHI) with a third party data warehouse
>operator.  Said third party adopts the Cloud methodology for you and
>their other clients...........
>
>Where did the breach occur?  Did the breach occur within the cloud?  If
>so, who owns the cloud?  Who failed to keep their security software up
>to date and allowed the hack of that data?  Who is now responsible under
>federal law to notify those breach victims, place 12 month credit
>monitoring services, notify HHS of the breach, etc. and, ultimately,
>face any lawsuits for release of PHI?
>
>The hospital?  The 3rd party data warehouse or the owner of the cloud
>where the data was stored/breached?  Forensic claims analysis on the
>way....  Breach occurred at company x who operates the cloud and owns
>the servers.  Now that we have that settled, did the data warehouse know
>that cloud operator had similar breach's in the past before they placed
>your data with them?  They did?  Well, that's just more
>negligence..........
>
>Welcome to my world!
>

In a "HIPAA World" you have an easy out... before the data is tossed over
the fence, you are required to develop and institute a "Third Party Business
Associates Agreement" http://bit.ly/IaVkF  and it's pretty clear in the
suggested HHS language what the obligations of the Business Associate are. 
If they make a change to their business processes that would in any way
jeopardize the data they are under contractual agreement to protect, it's on
them.

So if they adopt the cloud, they also adopt all risk related to it.

The covered entity is just that... covered from any liabilities, as they
have all been transferred to the contractor.  

This is exactly why I made my initial comment about attempting to determine
the value of any insurance related to protecting the data, sure as the
covered entity you still have some risk of loss of information and the
head-on embarrassment of dealing with your patients, insured clients, etc.
that the data was compromised, but the legal and financial obligations have
been transferred to the Business Associate.

And you're right Ken, I agree this is NOT MY WORLD...and I think I'll stay
on this side of the chasm. =)

Larry
[log in to unmask]

List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance
To unsubscribe from this list, click the below link. If not already present, place UNSUBSCRIBE RECMGMT-L or UNSUB RECMGMT-L in the body of the message.
mailto:[log in to unmask]

ATOM RSS1 RSS2

LISTSERV.IGGURU.US