Do you have a cloud-based EMR/EHR? Concerned about security? Pulse Practice Solutions is a Nashville company specializing Managed IT security solutions for Medical Practices. A valuable resource for medical practices – give us a call at 615-425-2719 for a cost-free evaluation of how we can make your practice more efficient!
Health care organizations should consider possible privacy and security risks when storing electronic health record data on cloud-based systems, according to experts at a recent conference, InformationWeek reports (Versel, InformationWeek, 8/22).
Cloud-based EHRs store patient data on the Web in off-site servers rather than on local devices (iHealthBeat, 6/22).
Speaking last week at the American Health Information Management Association Legal EHR Summit in Chicago, Gerard Nussbaum — director of technology services at Kurt Salmon Associates, a management consultancy firm — said that HIPAA privacy and security rules do not specify whether a health care provider using a cloud-based EHR system owns the data or if the information belongs to the service provider.
Nussbaum said that health care providers should “iron out up front” what each party’s responsibility is in the event of a breach, including who must notify individuals whose information might have been compromised.
In addition, Nussbaum said health care providers should be aware of how they would retrieve medical data should they stop using a cloud-based EHR system.
Sandra Nunn, a health information management consultant, said health care providers should ask vendors whether an audit trail can be easily accessible in the event of a data breach. She added that health care providers should request an audit log from their vendors a few times every year.
According to InformationWeek, the need for clearer security procedures could become more urgent under the recent accounting of disclosures proposed rule from HHS’ Office for Civil Rights.
The proposed rule would change existing HIPAA privacy standards to require covered entities to produce disclosure reports within 30 days of a patient’s request, compared with the current 60 days (InformationWeek, 8/22).
Source: iHealthBeat
