When making the transition to a cloud-based EMR platform, organizations have a lot of responsibility. The key aspects of how to handle, store, and share protected health information (PHI) are defined by HIPAA. For healthcare providers, knowing what compliance in the cloud looks like, helps increase protections for patients, minimize risks, and continue with clinical work.
You can learn more here at https://pmc.ncbi.nlm.nih.gov/articles/PMC5869277/.
Why Is HIPAA Important?
HIPAA protects the privacy, integrity, and availability of patient data. In day-to-day treatment of patients, this means that only the correct people have the proper access to the relevant information at the correct time. It means that the organization has established policies, procedures, and security controls to protect against misappropriation or loss of that data.
Compliance with HIPAA is more than avoiding penalties. Compliance fosters trust between the patient and their providers, allows safe information sharing, and encourages collaborative practice. When a platform stakes its foundation on compliance, providers can become less distracted by compliance issues and have clearer workflows with fewer interruptions.
Common Compliance Challenges
Switching to the cloud can raise some new questions about who is doing what, and how the security is going to be applied. Practices commonly struggle with clarifying the responsibilities debated by the vendor and the practice, ensuring consistency across all locations, and keeping non-clinical users engaged with the policy. It helps to have documents defining what each party’s responsibilities, good training programs, and a consistent approach.
Before going to the cloud, organizations should anticipate—and plan for—these common obstacles:
- Uncertainty over what shared responsibility looks like with their vendor in the absence of a robust Business Associate Agreement (BAA). Read more on this page.
- There is excessive access sprawl from the number of accounts and access authorizations that are not reviewed or rendered inactive in a timely manner.
- Staff training gaps are significant and, as a result, organizational risk from phishing and social engineering is impacted.
- Shadow integrations exist with billing or imaging tools without any approval or visibility.
- Device hygiene of remote and hybrid staff accessing electronic health records (EHR) remotely is poor.
Protecting Patient Data in the Cloud
If done right, cloud environments can be securely beautiful. It is critically important to hone in on very good data encryption practices, manage cryptographic keys, a well validated backup, and regular test and monitoring to confirm the protections are operational, and not just paper exercised.
The cloud based EMR System can protect and secure client data – as long as the data-protecting practices are followed, including:
- encryption should occur on all data and in-transit; managed and controlled encryption.
- Isolation and rotation of the cryptographic key(s); ideally hardware backed modules or managed key services.
- Only collect and keep what is relevant to client care and compliance.
- Management of backup has been established and followed; restore exercise completed; hold immutable copies as likely geo-redundant copies.
- Review of vendor security measures and certifications; signed BAA must be signed prior to any data exchange.
- Keeping and reviewing the audit logs with a focus on unauthorized and flagged access.
Understanding Security Safeguards
The Security Rule defines safeguarding protections to include three groups of Administrative Safeguards, Physical Safeguards, and Technical Safeguards factual and practical application. It is not until all the safeguards are contemplated as working together that you appreciate, they exist for one reason; to safeguard the organization’s digital assets. Lessons learnt; Policies inform behaviours, the location secures the equipment, technology provides access and visibility.
There are many contributing elements as safeguarding protections;
- Administration Security Safeguards will include risk assessment; documented policies; workforce training; vendor management; and incident response plans.
- Physical Security Safeguards might include safeguard facilities; safeguard workstations; and safeguard devices/media (laptop, tablets, removable storage).
- Technical Security Safeguards might include unique user ids; role base access; automatic inactivity log-off; encryption; and full audit accounts.
Most platforms will start safeguard quite a bit further, with single sign on and multi-factor authentication, significantly, reducing credential risk. Through the established review process for timely reviews of authorizations related to least privilege, even as organizations add / change teams, they still remain committed to least privilege.
How Compliance Impacts Daily Workflow
The concept of Compliance is transparent at the day-to-day operational task level, not just through a set of policies in a binder. Clinicians routinely: log-in to secure, strongly authenticated systems; clearly recognize and verify patient identities before chart reviews; communicate messages securely and, where possible, by patient specific mediums; routinely share minimum necessary information is completed by staff; and, document disclosures, in compliance with the policies and regulations.
Operational teams are not different. Administration routinely completes audits to ensure former employees cannot access the system, and, to verify completion of mandatory training. Coming up at the time of systemic outage is the organizations data outage plan to confirm what care will continue and how documentation and patient notes will continue once the page returns. When compliance is ‘baked’ into the platform with an easy-to-follow process, providers spend less time trying to resolve compliance issues and more care in providing care to patients.
