Healthcare data is increasingly being stored and used in the public cloud as electronically Protected Health Information or ePHI. One of the concerns healthcare organizations may have with cloud computing is a lack of control over their PHI data. This blog post outlines cloud, Protected Health Information, and compliance considerations for success.

The Cloud

Cloud computing is the term used to describe the provisioning of computer services over the internet. With cloud computing the resources that were typically local to an organization – computers, software, and data – are now hosted by third-party vendors or cloud service providers (CSP). Cloud computing is pay as you go; the upfront cost of setting up servers and databases on-premise are replaced with a metered approach where cost is determined based on the cloud resources used.

Cloud services can easily and automatically scale up and down in size and capacity as needed. Cloud can reduce infrastructure costs when compared to an on-premise solution. Software updates, hardware maintenance, etc. are performed by the cloud service provider with minimal intervention of the healthcare organization.

Protected Health Information

One of the concerns healthcare organizations may have with cloud computing is a lack of control over their PHI data. The Health Insurance Portability and Accountability Act (HIPAA) covers Protected Health Information (PHI) that could be used to identify health plan members or patients and specifies penalties if that data is disclosed. Examples of PHI are gender, phone number, physical and email address birth dates, gender, ethnicity, etc. PHI relates to physical records, while the HIPAA act defines ePHI as, “any PHI that is created, stored, transmitted, or received electronically” by a HIPAA covered entity or business associate.

Compliance Ensures Success

HIPAA considers healthcare organizations, such as providers or payers, to be covered entities while cloud service providers (CSP) are considered business associates. To be HIPPA-compliant the health care organization and the CSP must enter into a HIPAA business associate agreement (BAA) with both parties being responsible for meeting the terms of the BAA. The BAA is a contract that specifies the allowable uses and disclosures of PHI by the cloud service provider based on the activities the CSP performs for the healthcare organization.

A CSP can disclose or access protected health information only as permitted by the healthcare organization and allowed by law. Until a business associate agreement is in place and a risk assessment has been performed ePHI may not be moved to the cloud. A risk assessment is performed to identify risks and potential areas for exploitation in the environments and to suggest appropriate measures to minimize threats to the security and integrity of ePHI. Risk analysis must be done by both the health care organization and the cloud service provider.

With a risk analysis complete and a business associate agreement in place, the CSP and health organization may also enter into a service level agreement (SLA). This outlines issues such as how data will be returned to the health care organization once they stop using the CSP, backup and recovery of data, and any restrictions on the use and retention of data.

The IBM Unified Data Model for Healthcare (UDMH) v9.3, released in fall 2017, delivers a number of new or updated features for clinical users – new HEDIS 2017 measures, additional NDNQI Nursing HR metrics, GDPR support, and more. This blog will focus on what I think are the three most important changes for Payer clients – upgrades to Claims, Health Plan, and Labor entities.

Claims Enhancements

A good amount of redesign has gone into the Claims subject area. Claim Line details, which were formerly overloaded on a single table, are now subtyped into Medical, Pharmacy, and Dental table, each with subject-appropriate attributes.

New array tables such as Claim Diagnosis Code and Claim Attachment have been added at the Claim and claim line level. This will allow a practically unlimited number of rows of each type to be related with a claim or claim line. In addition to the diagnosis codes and attachments arrays mentioned, other arrays allow for codes, dates, quantities, amounts and more. The Claim entities have been tweaked to capture data throughout a claim’s life cycle, allowing for claim data as submitted, through adjudication, to adjustment and remittance.

Health Plan Enhancements
IBM has extended the Health Plan Product and related entities to include specification of cost sharing details and benefits associated with a health plan product. Additionally, certification entities let a product’s licensing history be recorded for each jurisdiction which certifies or denies a product’s sale. This allows plan definition to be stored regardless of whether a plan ever makes it to market.

Labor Enhancements

UDMH v9.3 has added a number of new capabilities to the Labor subject area. The subject area has been extended to allow for capture of job requirements, vacancies and applications. Employee time cards with hours and activity types have been added as well.