Practices with Cloud-Based EHRs Should Address Unique Security Issues Up Front

If you’ve got an EHR, chances are you’ve put some thought into security risks and data breaches. But if you’re part of a growing number of practices adopting cloud-based EHRs, you may face unique security considerations. 

During a speech at the American Health Information Management Association (AHIMA) Legal EHR Summit in Chicago earlier this month, Gerard Nussbaum, director of technology services at management consultancy Kurt Salmon Associates, said HIPAA privacy and security rules do not specify whether a provider using a cloud-based EHR owns data in the medical records or if the information belongs to the service host. Nussbaum recommended that healthcare providers explicitly negotiate data usage in contracts, particularly in case of a breach, InformationWeek reported.

"Nothing is secure from breaches," said Nussbaum, who suggested healthcare organizations “iron out” each party’s legal responsibility in the event of a breach up front. By doing this up front, it will be easier to notify individuals whose data may have been compromised, he said.

Steven ZoBell, vice president of product development and CTO for EHR provider ADP AdvancedMD, told Physicians Practice that practices using cloud-based EHRs should get a clear understanding of their EHR’s compliance with the HIPAA Security Rule before making a commitment.

“If the EHR provider is in compliance, then it assures [practices] than many policies and procedures are in place to ensure the safety of the electronic personal health information within the cloud-based platform,” said ZoBell, via e-mail. “This reduces the number of concerns that an individual practice needs to contemplate to ensure that their own practice is compliant with the HIPAA Security Rule.”

Taking preventative measures to protect against data breaches has become more of a priority in the EHR era, especially with the growing use of e-mail and mobile devices.

The HITECH Act, part of the American Recovery and Reinvestment Act of 2009, gives flesh to HIPAA privacy and security rules by imposing stiffer penalties on health organizations found guilty of data breaches, according to legal experts.

Penalties include an increase in maximum fines (up to $1.5 million) and, if the breach involves more than 500 records, the covered entity has to notify the local media in addition to notifying patients and HHS.

For that reason, practices using cloud-based EHRs might have some advantages, some believe.

“The HIPAA Security Rule is very expansive and if a provider is going to try and comply with it using a legacy client server-solution, nearly all the burden is on the practice,” says ZoBell. “However, with a cloud-based solution the effort of compliance is greatly reduced for the practice if the cloud-based solution’s company is compliant with the HIPAA Security Rule.”