Patient Privacy Rights asks HHS for guidance on cloud security

December 31, 2012

In April, the Department of Health and Human Services reached a $100,000 HIPAA settlement with Phoenix Cardiac Surgery, after the small physician practice had managed clinical and surgical appointments, between 2007 and 2009, using an Internet-based calendar that also happened to be publicly-available.

The Internet being the most ubiquitous form of cloud computing, an Austin, Texas-based advocacy group called Patient Privacy Rights is pointing to the Phoenix Cardiac Surgery HIPAA violation as an example of why HHS should regulate, or at least guide, cloud use in healthcare.

In a letter to the HHS Office for Civil Rights, Patient Privacy Rights founder and chair Deborah Peel, MD, urged the agency to create cloud-computing guidelines around the issues of secure infrastructure, security standards and business associate agreements.

“Issuing guidance to strengthen and clarify cloud-based protections for data security and privacy will help assure patients (that) sensitive health data they share with their physicians and other health care professionals will be protected,” Peel said.

Cloud-computing is proving to be valuable, Peel said, but the nation’s transition to electronic health records will be slowed “if patients do not have assurances that their personal medical information will always have comprehensive and meaningful security and privacy protections.”

Patient Privacy Rights, founded in 2006, is encouraging HHS to adopt guidelines that highlight “the lessons learned from the Phoenix Cardiac Surgery case while making it clear that HIPAA does not prevent providers from moving to the cloud as long as it is done responsibly and in compliance with the law.”

In general, Peel said, cloud providers and the healthcare industry at large could benefit from guidance and education on the application of federal privacy and security rules in the cloud. “HHS and HIPAA guidance in this area, to date, is limited,” Peel said, recommending the National Institute of Standards and Technology’s cloud privacy guidelines as a baseline.

It’s not clear how often cloud-based IT services have breached HIPAA, and some IT professionals have argued that cloud-based EHRs could actually help prevent breaches.

Still, it’s a concern for health organizations, which are increasingly using cloud-based services for a variety of IT needs. According to a recent survey by the Ponemon Institute, 62 percent of health organizations use cloud services heavily or moderately. Almost half of the respondents told Ponemon that they are not confident in the information security of cloud-based services.

Whatever HHS decides to do in the area of HIPAA and the cloud, the agency has been a leader in the federal government’s Cloud First Program, intended as way to help lean and improve IT systems at large government organizations.