Organizations Need Assurance the Cloud has Proper Safeguards
As healthcare becomes more reliant on telemedicine technology, the Federal Trade Commission is stepping up its enforcement of the Health Insurance Portability and Accountability Act, or HIPAA.
Ross Friedberg says cloud-based telemedicine is the new frontier of healthcare. Friedberg, an attorney with the firm of Epstein Becker & Green, recently conducted a webinar for the Robert J. Waters Center for Telehealth and e-Health Law (CTeL) on the stricter enforcement of guidelines for connected healthcare companies that store patient data or connect with patients through apps and other mobile tools. The Federal Trade Commission, he said, is taking a more active role to protect consumers and patients.
We all know the problems that occur when unauthorized “someones” gain access to personal information. Most of us have received at least one letter in the mail, whether from retailers, banks, or software companies, warning us that we may need to take protective action because of a data breach. Bad enough that criminals might force us to cut up our debit and credit cards. When I worked for the Arizona Medical Board, I took several calls from people whose medical insurance companies were denying them coverage for medical care and procedures in cities where they had never been. Thieves had compromised a doctor’s practice database and were selling the personal medical information to people who used the stolen identities to cover their medical bills. I never did hear the outcome of the investigation and resulting legal issues, just the anger and pain in the voices of the victims.
Healthcare organizations need assurance that cloud-based vendors who are HIPAA business associates have the proper safeguards in place. Friedberg says that outsourcing data storage may be convenient and cost-effective, but “it’s not always clear whether these contractors are complying with the relevant laws and regulations.” His advice? Don’t accept suggestions that cloud providers are HIPAA-compliant. Examine a vendor’s privacy and security standards. Pay for physical security audits if there is any question. Seek help from IT experts, especially for the implementation process.
The question of providers using Web-based communications platform to connect with patients. Friedberg gave the appropriate answer. Even though HIPAA doesn’t require encryption, better to be safe than sorry. The current standard is 128-bit encryption. It should be at least that or better. And the platform should be able to detect breach attempts, even those that are unsuccessful.
About the author: Roger Downey is currently the Communications Manager for GlobalMed, a telemedicine design, manufacturing and marketing firm. He is a broadcast news veteran in Phoenix, for 25 years. Roger is a Board Member of the Arizona Partnership Implementing Patient Safety (APIPS) and a member of the American Telemedicine Association Pediatric Special Interest Group. This article was originally published on GlobalMed and is republished here with permission.