OCR must issue cloud guidance, patient privacy advocates say

Tools

Privacy advocate organization Patient Privacy Rights is calling on OCR to issue strong guidance on cloud computing in healthcare. 

In a letter sent today to Office for Civil Rights Director Leon Rodriguez, PPR founder and chair Deborah Peel, M.D., in outlining criteria for such guidance, says that patients need reassurance that their personal medical information will be adequately protected.

Peel uses the example of Phoenix (Ariz.) Cardiac Surgery posting patient appointments online in an unsecured calendar as an instance of challenges arising when providers move to the cloud.   

"PPR encourages [the U.S. Department of Health & Human Services] to issue guidance that highlights the lessons learned from the Phoenix Cardiac Surgery case while making clear that HIPAA does not prevent providers from moving to the cloud as long as it is done responsibly and in compliance with the law," she says.

PPR's criteria for such guidance, according to Peel, includes:

  • A secure infrastructure: "Appropriate administrative, physical and technical safeguards must be in place," Peel says. Such safeguards should include, but are not limited to, a comprehensive risk assessment by external auditors, audit controls that cannot be turned off and data encryption.
  • Security standards: According to Peel, these standards should be consistent and compatible with standards required of federal agencies, including the HIPAA Security Rule and the HITECH breach notification requirements.
  • Privacy of protected health information: "Standards must be included that establish the appropriate use, disclosure and safeguarding of individually identifiable information" that take into account that HIPAA is a floor, not a ceiling, for privacy protections.
  • Business associate agreement requirement and standardization: These must be consistent with OCR guidance already in place, and apply in situations where software companies are given access to protected health information by HIPAA-covered entities. "It is imperative that these BAA standards promote the protection of privacy and security of health information to ensure public trust in health IT systems and promote quality healthcare, healthcare innovation and health provider collaboration," Peel says.

In related news, the Center for Medicare and Medicaid Innovation has awarded more than $16 million to the Mayo Clinic, Philips Research North America and the United States Critical Illness and Injury Trials Group to study how cloud-based clinical decision support technology can boost critical care for intensive care unit patients receiving Medicare. According to a Philips announcement, several other facilities plan to participate in the research, including Duke University, the University of Minnesota, Beth Israel Deaconess Medical Center and Montefiore Medical Center in New York.

CMMI estimates that the research could result in more than $80 million in reduced healthcare costs.

To learn more:
- here's Peel's letter to Rodriguez (.pdf)
- here's the Philips announcement

Related Articles:
OCR: No fail-safe for de-identifying patient info
Cloud storage to enable massive cancer cell database
To the cloud? Better check your security arrangements