Magazine article Information Management

Balancing the Risks and Rewards of Cloud-Based Healthcare Information

Magazine article Information Management

Balancing the Risks and Rewards of Cloud-Based Healthcare Information

Article excerpt

We are in the early stages of the electronic health record (EHR) era. And while EHRs offer many benefits, their proliferation is presenting challenges that some healthcare organizations are not equipped to handle.

For example, storing, harvesting, and accessing EHRs on a regular basis require significant investments in technology and personnel. To mitigate these costs, many healthcare organizations use cloud vendors for these services, which has some inherent risks. Storing EHRs in the cloud is still a good option, though, if organizations take the appropriate steps to mitigate these risks.

Cloud Benefits and Risks

The benefits and risks of outsourcing EHRs to the cloud are both quantitative and qualitative.


On the benefit side, using a cloud vendor can dramatically reduce costs and enhance patient outcomes.

First, by deploying a cloud solution, the organization need not pay for hardware or the IT personnel that would be required to maintain EHRs onsite. In addition, a cloud option can be deployed to address an exponential increase in EHRs more quickly and cost-effectively than an onsite solution can be.

Second, deploying a cloud solution has the potential to enhance patient outcomes. When information is stored in the cloud, physicians can access it at any time and can collaborate with hospitals and other physicians regarding a patient's care.


On the risk side of the equation, using a cloud solution could increase liability if the cloud vendor is not compliant with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the 2013 HIPAA Omnibus Final Rule, which provides a more expansive definition of "business associates" that likely encompasses most cloud vendors.

According to the January 25, 2013, issue of the Federal Register (available at FR-20l3-01-25lpdfl20l3-01073.pdf), "... a data storage company that has access to protected health information (whether digital or hard copy) qualifies as a business associate, even if the entity does not view the information or only does so on a random or infrequent basis. Thus, document storage companies maintaining protected health information on behalf of covered entities are considered business associates, regardless of whether they actually view the information they hold."

While the Omnibus Final Rule imposes direct liability for security breaches on business associates, covered entities (tike healthcare providers) are also liable.

While deploying a cloud solution can enhance patient outcomes, it can also detrimentally impact a patient in an emergency situation if vital health information stored there is not available. In addition, a security breach of that cloud-based information might expose additional patient information such as financial data, name, and address, which can be used to wreak havoc on an unsuspecting victim.

There is also the potential for violating international data privacy laws if EHRs are held on cloud servers located outside the United States.

Further, data stored in the cloud must be accessible and produced if it is relevant to litigation. Properly implementing a litigation hold and producing data stored with a cloud vendor can be difficult, and failure could subject the organization to sanctions for spoliation of evidence.

Security Issues in the Cloud

Records managers working within the healthcare industry need to be intimately familiar with HIPAA's Security Rule in order to mitigate the risks and liabilities from using a cloud vendor to hold electronic records. The Security Rule applies to health plans, healthcare clearinghouses, healthcare providers, and business associates.

Pursuant to the HIPAA Omnibus Final Rule referenced above, subcontractors that create, receive, maintain, or transmit protected health information (PHI) on behalf of business associates are now also business associates and must comply with the Security Rule. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.