New regulations being imposed by HIPAA on health care entities have created a new compliance burden, because all record keeping must be converted to electronic filing by Oct 2015. This means that these entities, small and large, must invest significant additional resources on equipment, software and IT-trained personnel. With the arrival of completely digital records comes new, more complex security worries. In particular, healthcare entities have a couple of choices to support these requirements and they have to determine which choice is the best. The first option is completely in-house data storage. That would involve having on-site servers supported either by an in-house IT staff or a managed service provider. The alternative is the use of off-site cloud storage. That means the elimination of internal hardware requirements as well as the need to maintain security firewalls around the data storage.
The concerns of health care entities: Health care providers have many worries related to this mass conversion of documentation to digital format. Some of these concerns have been focused on data security and the liabilities created by HIPAA.
Security and the Cloud: The idea of transferring private data to an off-site cloud can, at first, seem risky. Healthcare providers may worry that this transfer represents a greater security risk. It can seem scary moving data. Can offsite cloud service providers (CSPs) offer as much data security as in-house storage? This can be a significant factor to consider since HIPAA now enforces stiff penalties and fines for the breach of Protected Health Information or PHI. That liability provision may make health care providers reluctant to outsource their data storage.
NOTE: Changes in the law – An additional concern about the cloud has disappeared, but it is important to understand how this has been addressed. The issue was whether CSPs were considered Business Associates (a category that would hold them equally responsible for maintaining data security.) If not, then they were considered potentially not responsible for data security under HIPPA regulations.
In the past, CSP’s had argued they were not health entities since they were only storing private data. If they agreed to be classified as such they would have had to sign a HIPAA mandated Business Associate Agreement (BAA) making them equally liable for a breach of PHI. They argued against this because they believed the CSP’s primary role was to provide storage of data which would be accessed by the HIPAA covered entity’s staff. They didn’t believe they were liable if a Business Associate of the health care giver subcontracted a cloud service provider. Also, if HIPAA mandated that all data should be encrypted and CSPs didn’t hold the key for encryption, CSPs argued that they shouldn’t be held liable for data breach.
Now, health care providers can take comfort in the fact that this compliance issue is all in the past. Cloud storage services will have to sign a Business Associate Agreement thus making them responsible for a breach of Electronic Health Record or EHR. This means that CSPs are required by law to report any breach in PHI and uphold their obligation to protect and secure patient information. The Department of Health and Human Services will hold BAs accountable for required privacy and security to protect PHI data. HIPAA has further clarified that BAs and subcontractors of BAs are directly liable for compliance with privacy and security requirements.
Still thinking about In-house IT management or worried about cloud security?
You shouldn’t be. In the past you had patient files on papers that were locked away securely until someone decided to reach out physically and access them. Now you have this massive amount of data stored somewhere on an on-site server that will be very difficult to safeguard. Cloud computing is very secure. Your data will be much safer especially due to the fact that your cloud service provider is required by law to protect that data. It is very important to know that when your clients, your staff, and many other medical service providers such as hospitals can access that data, your on-site storage is secure. Now that HIPAA has sided with you on this issue, why not take advantage of the service that is legally bound to protect your data privacy and far more economical than in-house IT management.
More importantly, cloud service providers are in the business of maintaining vast amounts of data at secured sites, with complete utility backups, mirrored servers, and security protections that just aren’t possible at an on-site health care site.
Here are some key points to note. A very significant transformation in the U.S. health care system has taken place, and that includes the complete overhaul of data keeping and data storage. Another important change, which is extremely beneficial to health care providers, is that they have an outsourced partner whose business is data storage and security. Health care regulators have mandated that anyone who handles the data in any manner will be held responsible for the breach of that data, so CSPs can’t shrug off their serious responsibility. This should be a big relief for health care providers who can use the latest technology at affordable prices without having to worry about data security. Also, that renders the in-house IT management less desirable because of its high cost and lack of dependability.