Tuesday, July 16, 2013 - Almanac Vol. 60, No. 1
New Regulatory Changes: Do They Apply to Your Area?
Recent regulatory changes require that Penn, even areas that do not provide patient care or health services, assess how patient data is received from and maintained on behalf of health care providers, health insurers, and other health care organizations ("covered entities"). Parties that receive, use and maintain patient information from covered entities are now directly responsible for compliance with the Health Insurance Portability and Accountability Act (HIPAA), and must sign Business Associate Agreements that set the parameters for how that information will be secured and maintained. This will potentially impact areas of the University that previously had no obligations under HIPAA.
Additionally, as an organization with multiple health-care components, Penn must also ensure that the appropriate Business Associate Agreements are in place with third parties that maintain and/or use our patient information, including cloud providers. Currently, Penn has several relationships with cloud providers, including Box.com and Amazon Web Services. Penn is working to secure Business Associate Agreements with these and other cloud vendors, but currently those agreements are not in place. Therefore, cloud services should not be used to store patient information, sometimes referred to as Protected Health Information (PHI), unless and until there is an approved Business Associate Agreement with them.
If you have questions, please contact the Office of Audit, Compliance and Privacy at (215) 573-4492.