Balancing the risks and rewards of cloud-based healthcare information.

• Author: Shwayri, Rebecca N.
• Position: INDUSTRY-SPECIFIC

We are in the early stages of the electronic health record (EHR) era. And while EHRs offer many benefits, their proliferation is presenting challenges that some healthcare organizations are not equipped to handle.

For example, storing, harvesting, and accessing EHRs on a regular basis require significant investments in technology and personnel. To mitigate these costs, many healthcare organizations use cloud vendors for these services, which has some inherent risks. Storing EHRs in the cloud is still a good option, though, if organizations take the appropriate steps to mitigate these risks.

Cloud Benefits and Risks

The benefits and risks of outsourcing EHRs to the cloud are both quantitative and qualitative.

Benefits

On the benefit side, using a cloud vendor can dramatically reduce costs and enhance patient outcomes.

First, by deploying a cloud solution, the organization need not pay for hardware or the IT personnel that would be required to maintain EHRs onsite. In addition, a cloud option can be deployed to address an exponential increase in EHRs more quickly and cost-effectively than an onsite solution can be.

Second, deploying a cloud solution has the potential to enhance patient outcomes. When information is stored in the cloud, physicians can access it at any time and can collaborate with hospitals and other physicians regarding a patient's care.

Risks

On the risk side of the equation, using a cloud solution could increase liability if the cloud vendor is not compliant with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the 2013 HIPAA Omnibus Final Rule, which provides a more expansive definition of "business associates" that likely encompasses most cloud vendors.

According to the January 25, 2013, issue of the Federal Register (available at www.gpo.gov/fdsys/pkg/ FR-20l3-01-25lpdfl20l3-01073.pdf), "... a data storage company that has access to protected health information (whether digital or hard copy) qualifies as a business associate, even if the entity does not view the information or only does so on a random or infrequent basis. Thus, document storage companies maintaining protected health information on behalf of covered entities are considered business associates, regardless of whether they actually view the information they hold."

While the Omnibus Final Rule imposes direct liability for security breaches on business associates, covered entities (tike healthcare providers) are also liable.

While deploying a cloud solution can enhance patient outcomes, it can also detrimentally impact a patient in an emergency situation if vital health information stored there is not available. In addition, a security breach of that cloud-based information might expose additional patient information such as financial data, name, and address, which can be used to wreak havoc on an...