Cloud-based EHRs create medical privacy risks

HIPAA details how data should be protected, but one organization says the law doesn't offer physicians information specific to Internet-based systems.

By — Posted Jan. 14, 2013

Print  |   Email  |   Respond  |   Reprints  |   Like Facebook  |   Share Twitter  |   Tweet Linkedin

A patient advocacy group is calling on the government to issue guidance to physicians on how cloud-based technology should be implemented and used so fewer patients are put at risk of data breaches.

Deborah C. Peel, MD, chair of Patient Privacy Rights, sent a letter to the Dept. of Health and Human Services' Office for Civil Rights in December 2012 asking the agency to help physician practices better understand and prepare for vulnerabilities specific to cloud-based technologies. The patient privacy watchdog and advocacy group, based in Austin, Texas, was founded by Dr. Peel, a psychiatrist.

In 2011, 41% of office-based physicians were using a cloud-based electronic health record system, according to a July 2012 report by the Centers for Disease Control and Prevention. Such systems are attractive to many physicians because of their affordability.

Cloud-based practices typically pay a monthly subscription fee to a vendor who stores their data and allows practices to access records using an Internet connection. The approach reduces the need for expensive hardware and servers associated with stand-alone systems that can cost as much as $30,000 and require a full-time staff to maintain.

Among the cloud-based practices is Phoenix Cardiac Center, the first small practice forced to pay a large settlement agreement for charges of violating the Health Insurance Portability and Accountability Act. The $100,000 settlement that HHS reached with the five-physician group in April 2012 “illustrates the challenges that can arise when providers move to the cloud,” Dr. Peel wrote in her letter.

Phoenix Cardiac did not respond to a request for comment at this article's deadline. The practice was accused of violating various privacy and security rules, such as posting surgery and appointment calendars on a publicly accessible website. It was not required to admit guilt in the settlement.

Under the HIPAA Security Rule, cloud vendors can create, receive, maintain or transmit electronic personal health information on a practice's behalf only if that practice has obtained satisfactory assurances that the vendor will appropriately safeguard the information, said Susan McAndrew, deputy director for health information privacy at the Office for Civil Rights, in an emailed statement to American Medical News. She agrees that the Phoenix Cardiac Center case “underscores the importance of having in place an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of patients' [electronic personal health information] that is stored or maintained on a network.”

Dr. Peel is asking the Office for Civil Rights to issue guidance on the following criteria: secure infrastructure, security standards, privacy of protected health information, and business associate agreement requirements and standardization. The office had not responded to Dr. Peel's letter as of press time, but McAndrew said the National Institute for Standards and Technology and others have provided “a wealth of guidance materials on this topic.”

“The problems come not from the concept, but from the implementation,” said Alan Brill, senior managing director at Kroll Advisory Solutions. Many practices view it as solely a tech issue when it's really a legal issue, he said.

Vendor obligations

Howard Burde, an Ardmore, Pa.-based health IT lawyer, said the data protection laws spelled out under HIPAA and the Health Information Technology for Economic and Clinical Health Act are adequate, but only if they are followed. The challenge for practices contracting with cloud-based vendors is ensuring that staff and vendors follow those rules.

Most vendors are familiar with the rules and are compliant, Burde said. But physicians need to understand how the vendor is protecting the data, and the only way they can gain that understanding is through the contract or business associate agreement.

41% of office-based physicians used a cloud-based EHR system in 2011.

At the very least, experts say the contract needs to spell out:

  • When and how the physician practice has access to the data and how that access is obtained.
  • How security is assured.
  • Where and how often data backups are stored and how they are accessed.
  • If data are stored offshore and, if so, what the local rules and laws are that pertain to data security.
  • How frequently the services are upgraded and how common downtime is.

“These are not HIPAA issues, but they are nevertheless a security issue,” Burde said.

Brill advises practices to have an attorney who is familiar with health law and cloud technology to review any contracts. Even after a contract is in place, he said, things may change and need to be reviewed on a regular basis. Ideally, the review will be done in conjunction with the practice's risk assessment, which is required by the HITECH Act. That was passed as part of the 2009 American Recovery and Reinvestment Act, popularly known as the stimulus bill.

Brill said smaller practices always can use additional help, since they are less likely than large health care organizations to have the resources and staff to handle these tasks.

Although additional government guidelines wouldn't hurt, Burde said, he is not convinced they are necessary. “The technology is improving such that data is more and more secure all the time. The problem isn't the technology, it's the people.”

Back to top



Read story

Confronting bias against obese patients

Medical educators are starting to raise awareness about how weight-related stigma can impair patient-physician communication and the treatment of obesity. Read story

Read story


American Medical News is ceasing publication after 55 years of serving physicians by keeping them informed of their rapidly changing profession. Read story

Read story

Policing medical practice employees after work

Doctors can try to regulate staff actions outside the office, but they must watch what they try to stamp out and how they do it. Read story

Read story

Diabetes prevention: Set on a course for lifestyle change

The YMCA's evidence-based program is helping prediabetic patients eat right, get active and lose weight. Read story

Read story

Medicaid's muddled preventive care picture

The health system reform law promises no-cost coverage of a lengthy list of screenings and other prevention services, but some beneficiaries still might miss out. Read story

Read story

How to get tax breaks for your medical practice

Federal, state and local governments offer doctors incentives because practices are recognized as economic engines. But physicians must know how and where to find them. Read story

Read story

Advance pay ACOs: A down payment on Medicare's future

Accountable care organizations that pay doctors up-front bring practice improvements, but it's unclear yet if program actuaries will see a return on investment. Read story

Read story

Physician liability: Your team, your legal risk

When health care team members drop the ball, it's often doctors who end up in court. How can physicians improve such care and avoid risks? Read story

  • Stay informed
  • Twitter
  • Facebook
  • RSS
  • LinkedIn