Home » News » Cloud Computing | Electronic Health Record
Receive News
By Email

  • del.icio.us
  • Digg
  • Facebook
  • Google
  • Reddit
  • StumbleUpon
  • RSS Icon
  

Patient privacy group asks HHS for HIPAA cloud guidance

December 28, 2012 | Anthony Brino, Associate Editor

Related Resources

In April, the Department of Health and Human Services reached a $100,000 HIPAA settlement with Phoenix Cardiac Surgery, after the small physician practice had managed clinical and surgical appointments, between 2007 and 2009, using an Internet-based calendar that also happened to be publicly-available.

The Internet being the most ubiquitous form of cloud computing, an Austin, Texas-based advocacy group called Patient Privacy Rights is pointing to the Phoenix Cardiac Surgery HIPAA violation as an example of why HHS should regulate, or at least guide, cloud use in healthcare.

In a letter to the HHS Office for Civil Rights, Patient Privacy Rights founder and chair Deborah Peel, MD, urged the agency to create cloud-computing guidelines around the issues of secure infrastructure, security standards and business associate agreements.

[Related: David Linthicum's 3 steps to HIPAA security in the cloud]

“Issuing guidance to strengthen and clarify cloud-based protections for data security and privacy will help assure patients (that) sensitive health data they share with their physicians and other health care professionals will be protected,” Peel said.

Cloud-computing is proving to be valuable, Peel said, but the nation’s transition to electronic health records will be slowed “if patients do not have assurances that their personal medical information will always have comprehensive and meaningful security and privacy protections.”

Patient Privacy Rights, a group founded in 2006, is encouraging HHS to adopt guidelines that highlight “the lessons learned from the Phoenix Cardiac Surgery case while making it clear that HIPAA does not prevent providers from moving to the cloud as long as it is done responsibly and in compliance with the law.”

In general, Peel said, cloud providers and the healthcare industry at large could benefit from guidance and education on the application of federal privacy and security rules in the cloud. “HHS and HIPAA guidance in this area, to date, is limited,” Peel said, recommending the National Institute of Standards and Technology’s cloud privacy guidelines as a baseline.

[Q&A: Predicting a HIPAA cloud and BAA 'tipping point' come HIMSS13]

It’s not clear how often cloud-based IT services have breached HIPAA, and some IT professionals have argued that cloud-based EHRs could actually help prevent breaches.

Still, it’s a concern for health organizations, which are increasingly using cloud-based services for a variety of IT needs. According to a recent survey by the Ponemon Institute, 62 percent of health organizations use cloud services heavily or moderately. Almost half of the respondents told Ponemon that they are not confident in the information security of cloud-based services.

Whatever HHS decides to do in the area of HIPAA and the cloud, the agency has been a leader in the federal government’s Cloud First Program, intended as way to help lean and improve IT systems at large government organizations.

Related coverage:

Pharma not so big on cloud for clinical trials

HIE and the patient privacy conundrum

Tim Zoph's 6 tips for creating a culture of security

Download the eBook 'Navigating the Cloud' from Government Health IT and Healthcare IT News

CDC girding to open its cloud to public health departments

ONC plans stronger EHR, patient safety features

Q&A: Health org's don't protect patient data for reasons dating 'back to the industrial revolution'

Related Topics:

Reader Comments (1)Login to Post a Comment

DanHaley says: Right instinct, wrong approach
December 31, 2012 | 11:17AM GMT
This notion that the government needs to create new rules for HIPAA compliance reflects a fundamental misunderstanding both of the cloud and of HIPAA. The cloud is a tool. It can be used in a HIPAA-compliant manner, with the necessary and appropriate safeguards in place to protect confidential information transmitted via the cloud between HIPAA-covered entities, just as safeguards are in place when the same data is transmitted via fax, mail, or courier. Or it can be used in a HIPAA non-compliant manner - in which case enforcement action should be severe. Using a publicly-available online calendar application to manage HIPAA-covered information was just a staggeringly irresponsible practice - the equivalent of posting protected health information on the office bulletin board.
The cloud-based global financial system has already demonstrated that the cloud is not an informational free-for-all - it is absolutely possible to both utilize the cloud and ensure a level of data security that is eons beyond what can be achieved using hard records, or insulated electronic systems protected by no more than a consumer-grade firewall.