Cloud-based EHRs create medical privacy risks
■ HIPAA details how data should be protected, but one organization says the law doesn't offer physicians information specific to Internet-based systems.
A patient advocacy group is calling on the government to issue guidance to physicians on how cloud-based technology should be implemented and used so fewer patients are put at risk of data breaches.
Deborah C. Peel, MD, chair of Patient Privacy Rights, sent a letter to the Dept. of Health and Human Services' Office for Civil Rights in December 2012 asking the agency to help physician practices better understand and prepare for vulnerabilities specific to cloud-based technologies. The patient privacy watchdog and advocacy group, based in Austin, Texas, was founded by Dr. Peel, a psychiatrist.
In 2011, 41% of office-based physicians were using a cloud-based electronic health record system, according to a July 2012 report by the Centers for Disease Control and Prevention. Such systems are attractive to many physicians because of their affordability.
Cloud-based practices typically pay a monthly subscription fee to a vendor who stores their data and allows practices to access records using an Internet connection. The approach reduces the need for expensive hardware and servers associated with stand-alone systems that can cost as much as $30,000 and require a full-time staff to maintain.
Among the cloud-based practices is Phoenix Cardiac Center, the first small practice forced to pay a large settlement agreement for charges of violating the Health Insurance Portability and Accountability Act. The $100,000 settlement that HHS reached with the five-physician group in April 2012 “illustrates the challenges that can arise when providers move to the cloud,” Dr. Peel wrote in her letter.
Phoenix Cardiac did not respond to a request for comment at this article's deadline. The practice was accused of violating various privacy and security rules, such as posting surgery and appointment calendars on a publicly accessible website. It was not required to admit guilt in the settlement.
Under the HIPAA Security Rule, cloud vendors can create, receive, maintain or transmit electronic personal health information on a practice's behalf only if that practice has obtained satisfactory assurances that the vendor will appropriately safeguard the information, said Susan McAndrew, deputy director for health information privacy at the Office for Civil Rights, in an emailed statement to American Medical News. She agrees that the Phoenix Cardiac Center case “underscores the importance of having in place an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of patients' [electronic personal health information] that is stored or maintained on a network.”
Dr. Peel is asking the Office for Civil Rights to issue guidance on the following criteria: secure infrastructure, security standards, privacy of protected health information, and business associate agreement requirements and standardization. The office had not responded to Dr. Peel's letter as of press time, but McAndrew said the National Institute for Standards and Technology and others have provided “a wealth of guidance materials on this topic.”
“The problems come not from the concept, but from the implementation,” said Alan Brill, senior managing director at Kroll Advisory Solutions. Many practices view it as solely a tech issue when it's really a legal issue, he said.
Howard Burde, an Ardmore, Pa.-based health IT lawyer, said the data protection laws spelled out under HIPAA and the Health Information Technology for Economic and Clinical Health Act are adequate, but only if they are followed. The challenge for practices contracting with cloud-based vendors is ensuring that staff and vendors follow those rules.
Most vendors are familiar with the rules and are compliant, Burde said. But physicians need to understand how the vendor is protecting the data, and the only way they can gain that understanding is through the contract or business associate agreement.
DID YOU KNOW:
41% of office-based physicians used a cloud-based EHR system in 2011.
At the very least, experts say the contract needs to spell out:
- When and how the physician practice has access to the data and how that access is obtained.
- How security is assured.
- Where and how often data backups are stored and how they are accessed.
- If data are stored offshore and, if so, what the local rules and laws are that pertain to data security.
- How frequently the services are upgraded and how common downtime is.
“These are not HIPAA issues, but they are nevertheless a security issue,” Burde said.
Brill advises practices to have an attorney who is familiar with health law and cloud technology to review any contracts. Even after a contract is in place, he said, things may change and need to be reviewed on a regular basis. Ideally, the review will be done in conjunction with the practice's risk assessment, which is required by the HITECH Act. That was passed as part of the 2009 American Recovery and Reinvestment Act, popularly known as the stimulus bill.
Brill said smaller practices always can use additional help, since they are less likely than large health care organizations to have the resources and staff to handle these tasks.
Although additional government guidelines wouldn't hurt, Burde said, he is not convinced they are necessary. “The technology is improving such that data is more and more secure all the time. The problem isn't the technology, it's the people.”