Monthly reports, audits improve security of cloud
Monthly reports, audits improve security of cloud
Security is a major concern for healthcare providers using the cloud, says Paul Rubell, JD, partner in the Corporate Law Group at the law firm of Meltzer Lippe Goldstein & Breitstone in Mineola, NY.
Through the use of the cloud, vital patient records can be viewed and updated by different healthcare providers, and shared by all. But because a patient's private information is available to so many important players in the healthcare arena, its integrity and security is at risk, Rubell notes.
"Can patient privacy truly be upheld? The risk of unauthorized access to personally identifiable information is great," Rubell says. "No longer will access to a patient's EHR [electronic health record] be restricted only to the employees of a medical practice. That same patient's EHR will be accessible to the employees of insurance companies, pharmacies, billing companies, and now, industry computer firms."
Rubell offers this advice on improving security in the cloud:
Insisting on monthly written reports from the webhost to ensure the integrity and security of your data.
A well-written hosting agreement should require the webhost to furnish monthly written reports to the healthcare organization, by providing customized and specific information about the maintenance of patient information. The agreement should specify exactly what information is to be furnished. One size does not fit all; the format and contents of the reports need to be tailored to the circumstances.
Audit rights are another way to ensure that their patients' confidential information is being maintained appropriately and in accordance with HIPAA and best practices. A cloud hosting agreement should permit the provider's representatives to have access to the host's facility. More importantly, the provider should use this right of access and direct its trained personnel to inspect the host's place of business. Too frequently, although a lawyer may draft a useful contract provision such as this, it is up to the health care provider to take advantage of this contractual power; otherwise it becomes meaningless.
A cloud computing agreement should call for the host to furnish frequent updates to the client about changes to the location of the client's data.
Again, a contract right such as this becomes meaningless if the client fails to enforce its legal rights and insist upon compliance.
If the Internet provider goes out of business, it might be difficult or impossible to locate or access a patient's EMR.
Instead of making healthcare records more easily accessed, instead the specter of business failure (especially in today's economy) might have the opposite result. Will patients' data be released to unauthorized people? Will the data be subject to the jurisdiction of bankruptcy courts or available to creditors of the bankrupt Internet provider?
A source code escrow arrangement is one way for a healthcare provider to maintain a degree of control over the specter of a software host's bankruptcy or cessation of business.
Via an escrow agreement model, the hosting company would deposit, with a third party, the important computer programming and data in a secure place. The arrangement would authorize the third party to release the programs and data to the provider if the host company goes out of business.
Security is a major concern for healthcare providers using the cloud, says Paul Rubell, JD, partner in the Corporate Law Group at the law firm of Meltzer Lippe Goldstein & Breitstone in Mineola, NY.Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.