Over 200 Total Lots Up For Auction at One Location - UT 12/18
Visit DOTmed at RSNA 2024 - Booth #6804

Tumult in the Clouds

by Brendon Nafziger, DOTmed News Associate Editor | April 29, 2010

"I don't think actual patient records will go into the cloud any time soon," he says. He foresees the first use to be unidentified data packets used in collaborative research. Cloud-hosting the packets would make it easy for researchers scattered around different hospitals or laboratories to pull down the data but in the event of a breach, no one's privacy would be compromised.

"We wouldn't be quick to embrace it," Passe says. "There are enough things going on in Boston health care. You don't want to be on page one because of a data spill or data leak."

stats
DOTmed text ad

Quality, speed, and peace of mind

GE HealthCare’s Repair Center Solutions are an ideal complement to your in-house service team. We service a broad range of mobile devices, including monitors and cardiology devices, parts, and portable ultrasound systems and probes.

stats

Equally important, there are privacy concerns that relate to HIPAA.

Hip to HIPAA

Passed in 1996 and amended to its current form in 2003, the Health Insurance Portability and Accountability Act (HIPAA) is a complex suite of rules governing in part how confidential medical information can be shared and accessed.

The near consensus among privacy advocates and health care providers is that it's creaky, leaky and outdated. "HIPAA is a fib," says Pam Dixon, executive director of the World Privacy Forum. She and her Cardiff by the Sea-based organization have helped shape privacy and medical reporting law in California and regularly consult with state and federal government to develop tougher medical privacy laws.

Still, HIPAA's better than nothing, and even its flawed protections are generally held to be worthwhile. And regardless of its merits, the government can enforce compliance.

Which brings us to one of the main dangers with cloud: ensuring that HIPAA-covered entities - such as health care providers - are legally acceptable when putting personal health records in cloud storage.

Although it's easy to think of data in the cloud as nebulous vapors passing from site to site, the bits and blips of data are actually stored on slivers of silicon or other materials in a real-world physical location: one that could be outside the country, thereby putting it in violation of HIPAA agreements (all HIPAA-protected data must be in-country) and not subject to its protections.

"If the records are stored abroad, the only legal protections would be the contract the service provider signed with that organization or business entity. They don't have the force of law in the same way," says Dixon. "It's a whole different ballgame, and it's not HIPAA."

That's not all. Under HIPAA rules, any health care provider who wants to upload sensitive, identifiable patient records to the cloud must enter into a business associate agreement with the cloud host, which then requires the host to obey HIPAA guidelines about limiting access to the data and providing full audits of that access.