As a physician, you have access to a lot of private health information about your patients. So one important job for both you and your staff is protecting patient information, especially when it comes to complying with the Health Insurance Portability and Accountability Act (HIPAA) and guarding against security breaches. In the Healthcare Information and Management Systems Society (HIMSS) Leadership Survey, 20 percent of respondents said that their organization had dealt with some type of security breach in the past 12 months, and 38 percent said that they were concerned about their organization's ability to comply with HIPAA regulations and security audits from the Centers for Medicare & Medicaid Services.
Providers who have transitioned to using electronic medical records (EMR) now face the challenges associated with providing secure storage for electronic protected health information (ePHI). Creating your own infrastructure and IT support for data storage and management can be challenging and costly. To save time and effort, many health care providers and facilities are turning to the cloud. Several HIPAA-compliant cloud-storage vendors exist, but remember that it is still your responsibility to ensure that protected information is reasonably secure, according to the Department of Health & Human Services (HHS).
Getting to Know the HIPAA Regulations
Before you begin evaluating cloud storage options, be sure that you understand the HIPAA Security Rule, as detailed by HHS. There are three types of safeguards to adhere to: administrative, physical, and technical. Administrative safeguards primarily refer to the policies and procedures in place related to protecting ePHI within your practice. The technical and physical safeguards apply to protecting electronic data and access to workstations or devices that hold ePHI. These standards are intended to guard against intentional or unintentional use or disclosure of ePHI that violates HIPAA regulations and puts your patients' information at risk.
Physical safeguards, as laid out by HHS, refer to policies within the facility to oversee appropriate access to the building or office. These include protecting physical workstations and media sources from environmental hazards, natural hazards, and unauthorized intrusions. These safeguards may also involve limiting access to facilities and workstations to authorized personnel. Physical safeguards also cover the disposal and reuse of physical hardware, along with data backup and storage.
Technical safeguards refer to policies and procedures that protect ePHI and control access to that information. These standards cover the requirements to ensure that only authorized persons can access ePHI and that data has not been altered or destroyed in an unauthorized manner. The standards also regulate authentication of the identity of users and ensure the secure transmittal of data over electronic networks.
Choosing Cloud Storage for Your EMR Data
Cloud computing refers to a network of servers that allows you to access information from multiple devices. Increasingly, cloud-based tools, most commonly used for hosting clinical applications and for data backup, are becoming the norm. In a 2014 HIMSS survey of health care leaders about cloud computing, 83 percent of respondents said that their organization already uses cloud services in some capacity, and many plan to increase their usage. Yet despite their widespread adoption, security remains a top concern.
Before evaluating these services, it's important to conduct a risk assessment, which is a component of the HIPAA Security Rule. A risk analysis will help you understand your needs and current vulnerabilities and will inform any discussions with prospective cloud vendors. HIMSS offers a risk-assessment guide and data-collection matrix to guide you through the process. For regular analysis, you can also use risk assessments from cloud vendors to ensure ongoing security and compliance. Cloud-vendor risk assessments look at potential sources of threats and vulnerabilities as well as hardware and software inventory.
Many cloud-service providers are HIPAA compliant, with high levels of encryption and security procedures, but you need to be sure to do your research. Some claim to be compliant but may not meet all the security requirements you need. Be sure that you know what to ask (HIMSS) provides a number of questions, including how the company ensures that data is not lost or stolen, what happens in the event of a security breach, and if the company has insurance to cover a data breach.
In addition to finding a vendor that complies with the technical and physical safeguards of HIPAA, you also want a vendor that's willing to enter into a business associate agreement, as explained by HHS. HIPAA rules generally require a contract to ensure that business associates will properly safeguard protected information.
Using the cloud for your EMR document storage and protecting transmission of that information is a great way to contain costs and comply with HIPAA regulations. Just be sure that you conduct regular risk assessments to address any vulnerabilities and have a keen understanding of what your vendor provides in terms of storage and protection. By remaining vigilant, you'll comply with government regulations and ensure that your patients' information is fully protected.