- Q&A: Privacy activism in the age of Big Data
- 5 steps to managing data security risks in the cloud
- HHS grants $103 million to chronic disease programs
- Letters to the editor
- One year after SCOTUS, health law is even more complex
- Medicare Strike Force nails 89 fraudsters
- ATA gets underway in Austin
- mHealth VC slowed in second half of 2012
- Pharma not so big on cloud for clinical trials
- UT-Austin creates HIE lab to train health IT workers
- Case Study: Blood Systems Expands Remote Access Connectivity to Prepare for Disaster
- Store and Organize All Types of Healthcare Data on a Single Information Infrastructure
- Medical Imaging in the Cloud
- QualSight LASIK Achieves HIPAA Compliance After Attempted Hack
- New World Order: Effectively Securing Healthcare Data Through Secure Information Exchanges
In April, the Department of Health and Human Services reached a $100,000 HIPAA settlement with Phoenix Cardiac Surgery, after the small physician practice had managed clinical and surgical appointments, between 2007 and 2009, using an Internet-based calendar that also happened to be publicly-available.
The Internet being the most ubiquitous form of cloud computing, an Austin, Texas-based advocacy group called Patient Privacy Rights is pointing to the Phoenix Cardiac Surgery HIPAA violation as an example of why HHS should regulate, or at least guide, cloud use in healthcare.
In a letter to the HHS Office for Civil Rights, Patient Privacy Rights founder and chair Deborah Peel, MD, urged the agency to create cloud-computing guidelines around the issues of secure infrastructure, security standards and business associate agreements.
“Issuing guidance to strengthen and clarify cloud-based protections for data security and privacy will help assure patients (that) sensitive health data they share with their physicians and other health care professionals will be protected,” Peel said.
Cloud-computing is proving to be valuable, Peel said, but the nation’s transition to electronic health records will be slowed “if patients do not have assurances that their personal medical information will always have comprehensive and meaningful security and privacy protections.”
Patient Privacy Rights, a group founded in 2006, is encouraging HHS to adopt guidelines that highlight “the lessons learned from the Phoenix Cardiac Surgery case while making it clear that HIPAA does not prevent providers from moving to the cloud as long as it is done responsibly and in compliance with the law.”
In general, Peel said, cloud providers and the healthcare industry at large could benefit from guidance and education on the application of federal privacy and security rules in the cloud. “HHS and HIPAA guidance in this area, to date, is limited,” Peel said, recommending the National Institute of Standards and Technology’s cloud privacy guidelines as a baseline.
It’s not clear how often cloud-based IT services have breached HIPAA, and some IT professionals have argued that cloud-based EHRs could actually help prevent breaches.
Still, it’s a concern for health organizations, which are increasingly using cloud-based services for a variety of IT needs. According to a recent survey by the Ponemon Institute, 62 percent of health organizations use cloud services heavily or moderately. Almost half of the respondents told Ponemon that they are not confident in the information security of cloud-based services.
Whatever HHS decides to do in the area of HIPAA and the cloud, the agency has been a leader in the federal government’s Cloud First Program, intended as way to help lean and improve IT systems at large government organizations.
Download the eBook 'Navigating the Cloud' from Government Health IT and Healthcare IT News