This page contains a Flash digital edition of a book.
WRITTEN BY ANTHONY BRINO I


N April, the Department of Health and Human Services reached a $100,000 HIPAA


settlement with Phoenix Cardiac Surgery, after the small physician practice had managed clinical and surgical appointments, between 2007 and 2009, using an Internet-based calendar that also happened to be publicly available.


Setting a New Standard The Internet being the most


ubiquitous form of cloud computing, an Austin, Texas-based advocacy group called Patient Privacy Rights is pointing to the Phoenix Cardiac Surgery HIPAA violation as an example of why HHS should regulate, or at least guide, cloud use in healthcare. In a letter to the HHS Office for


Civil Rights, Patient Privacy Rights founder and chair Deborah Peel, MD, urged the agency to create cloud- computing guidelines around the issues of secure infrastructure, security standards, and business associate agreements. “Issuing guidance to strengthen and


clarify cloud-based protections for data security and privacy will help assure patients (that) sensitive health data they share with their physicians and


IMAGES © FOTOGESTOEBER, MAXKABAKOV / FOTOLIA CONNECTION/HEALTHCARE IT 2013.Q1 11


other healthcare professionals will be protected,” Peel said.


Creating a Secure Transition to the Cloud Cloud-computing is proving to be


valuable, Peel said, but the nation’s transition to electronic health records will be slowed “if patients do not have assurances that their personal medical information will always have comprehensive and meaningful security and privacy protections.” Patient Privacy Rights, founded


in 2006, is encouraging HHS to adopt guidelines that highlight “the lessons learned from the Phoenix Cardiac Surgery case while making it clear that HIPAA does not prevent providers from moving to the cloud as long as it is done responsibly and in compliance with the law.” In general, Peel said, cloud providers


and the healthcare industry at large could benefit from guidance and education on the application of federal privacy and security rules in the cloud. “HHS and HIPAA guidance in this area, to date, is limited,” Peel said, recommending the National Institute of Standards and Technology’s cloud privacy guidelines as a baseline.


At the Forefront: Patient Privacy It’s not clear how often cloud-based


IT services have breached HIPAA, and some IT professionals have argued that cloud-based EHRs could actually help prevent breaches. Still, it’s a concern for health


organizations, which are increasingly using cloud-based services for a variety of IT needs. According to a recent survey by the Ponemon Institute, 62% of health organizations use cloud services heavily or moderately. Almost half of the respondents told Ponemon that they are not confident in the information security of cloud-based services. Whatever HHS decides to do in


the area of HIPAA and the cloud, the agency has been a leader in the federal government’s Cloud First Program, intended as way to help lean and improve IT systems at large government organizations.


ABOUT THE AUTHOR Anthony Brino is Associate Editor for Healthcare Payer News and Government Health IT, covering a range of issues affecting the healthcare payer and government markets.


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36