The Dark Cloud of Convenience: How the New HIPAA Omnibus Rules Fail to Protect Electronic Personal Health Information

The 2013 Omnibus Rules (Rules) update to the Health Insurance Portability and Accountability Act (HIPAA) aims to increase the privacy of patient health information (PHI). Although there are increases in monetary penalty fees, there are still two major areas of weakness. First, the Rules fail to address the role of cloud storage technology. Traditionally, PHI was physically stored on-site the medical offices. However, the trend of outsourcing PHI storage to cloud computing creates a huge risk of privacy breaches as currently there are no federal standards on the security of cloud computing. This failure jeopardizes PHI privacy and leaves the medical community uncertain about security and HIPAA compliance. Second, even with increases in monetary penalties, consumer remedies are still limited since there is no private right of action. This Note explains the background of HIPAA, the need for federal guidance on technology security standards, and how in order for HIPAA to be meaningful, consumers need a private right of action against those who have breached the privacy of PHI