The continuing migration of patient records from paper to the cloud is a tricky area for healthcare companies and their managed IT services partners. On one hand, digitized medial records could mean a breakthrough for healthcare delivery – instant access to the records of accident victims in an emergency room could save lives, for example. And physicians would be able to quickly consult specialists around the world in crafting treatment plans. On the other hand, the many benefits have a potential dark side, both for patients and for healthcare companies and their business associates.
Just last week, the U.S. Department of Health and Human Services issued long-awaited, sweeping modifications to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules. The rules impose new limitations on the use and disclosure of health information, prohibit its sale without individual notification and clarify the liabilities of failing to properly protect patient data. It also raises the stakes, with higher penalties for noncompliance.
So even as hospitals calculate the cost-savings, efficiencies and healthcare benefits of allowing IT services to store medical records in the cloud, the risks are becoming clearer. Patient information, medical images and billing statements are all vulnerable.
“We are looking at a nightmare,” said Dr. Deborah Peel, founder and chair of Patient Privacy Rights, an advocacy group based in Austin, Texas. “It’s baffling to the average person, because they expect their health data to be protected.”
Peel said many hospitals don’t even encrypt data. She supports the idea of stiff penalties for breaches, and to that end she wrote to HHS in December urging that it devise rules for handling medical data. Peel says her organization doesn’t object to moving medical information onto the cloud, but she said it shouldn’t be done until a reliable certification system is created.
Her letter recommended four steps for devising a system:
- Create a secure infrastructure, including administrative, physical and technical safeguards. External auditors should evaluate systems, access to data should be limited, data must be encrypted and intrusion detection technology needs to be installed.
- Security standards should be on par with those used by federal agencies.
They should require compliance with the federal Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act.
- Standards must be set for the privacy of health information. State and federal regulations would address the appropriate use, disclosure and safeguarding of medical records.
- Development of business associate agreements to protect data managed by cloud-computing providers. Such agreements would give patients assurances that third-parties businesses wouldn’t be able to misuse sensitive information.
Much of that is addressed in the new HIPAA standards. HHS Office of Civil Rights director Leon Rodriguez stressed that the rules “not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a healthcare provider or one of their business associates.”
According to Healthcare IT News, Rodriguez said in December that his office was moving more into the area of what he called “assertive enforcement,” pressing for “more monetary settlements” from doctors, hospitals, health plans and social service agencies. “Every one of those is a message to the rest of the industry,” he said.
The bottom-line message for healthcare companies and their IT services is that they must ensure data security and compliance at every turn.