Privacy experts spoke about their data breach experiences Thursday at the Healthcare Privacy Summit in Washington, D.C., agreeing that what they've experienced likely is just the beginning for what's possible in security fissures at healthcare organizations.

Recent HIPAA audits of provider and payer organizations conducted by contractor KPMG on behalf of the U.S. Department of Health & Human Services determined that many in the industry don't know which privacy regulations apply to them. An analysis of the audits by the HHS Office for Civil Rights unveiled this week found that out of 980 problems identified during 115 audits conducted last year, 289 (30 percent) were due to ignorance on the part of organizations. "Most of these related to elements of the Rules that explicitly state what a covered entity must do to comply," the analysis says.

The Department of Health and Human Services will issue a "suite" of guidance to help healthcare providers, business associates and patients better understand how to comply with the HIPAA Omnibus Rule, an HHS attorney says.

Microsoft Corp. today announced the release of a new, revised version of its HIPAA Business Associate Agreement (BAA) for the company’s next-generation cloud services. This enables customers in the healthcare industry to leverage cloud solutions to coordinate care, improve patient health outcomes, and maintain compliance with privacy and security regulations issued under the U.S. Health Insurance Portability and Accountability Act (HIPAA) of 1996. Addressing HIPAA is embedded in the DNA of Microsoft’s cloud solutions, and Microsoft updated its BAA to help healthcare organizations address compliance for the final omnibus HIPAA rule, which went into effect March 26. Microsoft’s updated BAA covers Office 365, Microsoft Dynamics CRM Online and Windows Azure Core Services.

Box, a cloud storage and information sharing platform used in many different industries, has announced a major expansion of its healthcare focus. Among other things, Box has revealed 10 new partner applications, an investment in iPad-native electronic health record (EHR) vendor Drchrono, its compliance with the latest HIPAA security rules, and a list of some healthcare organizations that are using its services.

In a previous post, I discussed the implications of the new HIPAA-HITECH Act regulation for cloud service providers. I noted that cloud service providers would generally be deemed to be business associates (BAs) under HIPAA because any entity that “maintains” protected health information (PHI) on behalf of a covered entity or another BA is deemed a BA. Under HIPAA, BAs are directly liable to HHS enforcement for a number of responsibilities under the HIPAA Privacy and Security Rules. Moreover, a BA must be under a business associate agreement (BAA) with the entity supplying the PHI.

Provisions of the new HIPAA privacy and security rules could change the regulatory landscape for the cloud computing industry, says Robert Belfort, a partner in the health care practice at law firm Manatt, Phelps & Phillips.

The new HIPAA-HITECH regulation is here. Officially titled “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules,” this new regulation modifies HIPAA in accordance with the changes mandated by the HITECH Act of 2009. After years of waiting and many false alarms that the regulation was going to be released imminently, prompting joking references to Samuel Beckett’s play Waiting for Godot, HHS unleashed 563 pages upon the world. According to Office for Civil Rights (OCR) director Leon Rodriguez, the rule “marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented.” I agree with his dramatic characterization of the regulation, for it makes some very big changes and very important ones too.

The long-awaited expansion of the Health Insurance Portability and Accountability Act of 1996, unveiled Thursday afternoon by the U.S. Department of Health & Human Services, comprises four final rules, according to HHS "which have been combined to reduce the impact and number of times certain compliance activities need to be undertaken by regulated entities."

Despite major disagreements over the implications of Obamacare, both Democrats and Republicans have at least agreed on one issue that will benefit all Americans: a transition to electronic records is necessary to increase the effectiveness of the U.S. medical system and the privacy of medical records.