Beware cloud EHR vendors who don't follow HIPAA rules

Some companies fail to protect patients' protected health information
Tools

Some companies offering cloud-based EHRs don't know they have to comply with HIPAA and won't sign business associate agreements with their provider clients as required by the law, Deborah Peel, M.D., founder of advocacy organization Patient Privacy Rights, tells FierceEMR in an exclusive interview.

That means that these companies are not taking the steps that business associates are supposed to take to protect patients' protected health information, such as conducting risk analyses, creating audit trails and instituting basic security controls, Peel (pictured) says.

But HIPAA's privacy and security requirements do apply to vendors who provide cloud-based EHR products, according to Joy Pritts, Chief Privacy Officer for the Office of the National Coordinator for Health IT, according to an article on Healthcare Info Security.

Cloud based EHRs will become more popular because of their lower costs, but EHR vendors that host the data in the cloud are subject to HIPAA and will need to protect the patient data, said Pritts, during at panel discussion on cloud computing and patient privacy on Jan. 7 in Washington, DC.

Peel was also a speaker at the Jan. 7 panel discussion.  

"A lot of data on the cloud isn't even encrypted," she tells FierceEMR.

A large part of the problem is the influx of EHR vendors that have entered the healthcare market but don't understand the need to protect patient data, says Peel. And many providers don't screen their vendors regarding this issue.  

"Doctors and hospitals are using cloud services [for their EHRs] without any idea if their data is protected," she warns.

To learn more:
- here's the article

Related Articles:
OCR must issue cloud guidance, patient privacy advocates say
To the cloud? Better check your security arrangements
When assessing cloud risks, health organizations must prepare for failure