EHR Data In Cloud Needs Strong Security Trail

Presenters at a recent Legal EHR Summit warn healthcare providers to press their vendors for clear answers on security.

Slideshow: Healthcare Innovators (click image for larger view andfor full slideshow)
With healthcares unique information security requirements, the growth of cloud-based electronic health records (EHRs) is raising a number of new issues regarding data stewardship and organizational responsibility.
According to Gerard Nussbaum, director of technology services at management consultancy
Kurt Salmon Associates
, the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules do not specify whether a provider using a cloud-based EHR owns data in the medical records or if the information belongs to the service host. Speaking last week at the American Health Information Management Association (AHIMA) Legal EHR Summit in Chicago, Nussbaum recommended that healthcare providers explicitly negotiate data usage in contracts, particularly in case of a breach.
Nothing is secure from breaches, noted Nussbaum, an attorney. Knowing this, he said its best to iron out up front what each partys legal responsibility is in the event of a breach, such as who must notify individuals whose data may have been compromised.
Health information management consultant Sandra Nunn, who participated in a panel discussion on managing health information in the cloud, said she wants her clients to reach a clear understanding with their vendors about whether information will be sequestered in the cloud if there is a breach and whether there will be an easily accessible audit trail.
Having multiple cloud vendors can complicate your situation, Nunn said. She surmised that it might be a good idea for providers to ask their vendors once or twice a year to create an audit log just to make sure its possible.
This soon could become more urgent, based on a recent proposal from the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). In what is being called the accounting for disclosures rule, OCR has
proposed changing existing HIPAA privacy standards
to require covered entities to produce disclosure reports within 30 days of a patients request, rather than the current 60 days.
Another panel member, Daniel Orenstein, senior VP and general counsel of EHR and physician business services provider
Athenahealth
, Watertown, Mass., said that he has never actually seen a patient request an accounting for disclosures. It would take a good amount a work on the provider end to compile the information, but EHRs are capable, whether in the cloud or on a local server. We certainly can produce it, Orenstein said.
Athenahealth did not submit formal comments to HHS on the proposed accounting rule, according to Orenstein, but the company, which long has offered remotely hosted services, is emblematic of the way the health IT industry is shifting, particularly for small physician practices. A month ago, Athenahealth announced plans to acquire Proxsys, a provider of care-coordination services that links physicians and hospitals via the cloud, to beef up its health information exchange capabilities.
Because of this trend, Nussbaum said due diligence must be an ongoing process. Providers should, for example, be aware of how they would get their data back should they stop using a cloud-based EHR or simply switch vendors.
He recommended walking away from any vendor that refuses to run a security audit because it suggests that the vendor is not serious about transparency. You have to do the security audit one way or another, Nussbaum said, even if it is through a third party.
Nussbaum also said to avoid shrinkwrap licenses that dont take into account individual customers needs in HIPAA business associates agreements.
Find out how health IT leaders are dealing with the industrys pain points, from allowing unfettered patient data access to sharing electronic records. Also in the new, all-digital issue of InformationWeek Healthcare: There needs to be better e-communication between technologists and clinicians.
Download the issue now
. (Free registration required.)

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
EHR Data In Cloud Needs Strong Security Trail