Medical Professionals Face Unique Challenges Online

Medical Professionals Using The Cloud

The presence and value of Cloud tools have seeped into virtually every industry, and the medical profession is certainly no exception. However, because of the special rules regarding patient privacy, specifically those found in HIPAA, people handling patient information must follow specific guidelines that in many cases, are violated by standard cloud services. Of course many services claim HIPAA compliance in order to attract healthcare clients, however, an approved “HIPAA certification” doesn’t exist for cloud services. Therefore, it is important for people working in the medical industry to be aware of the rules and options when utilizing the Cloud for their business.

All medical professionals (and most people who’ve been to the doctor) are familiar with HIPAA, but to lay a foundation for this article, here is a little background. Congress passed the health Insurance Portability and Accountability Act back in 1996. You have HIPAA to thank for the enforcement of privacy standards (Infographic below by Cardigm)   that protect your personal health records (as well as health insurance portability, though the focus of this article will be the former). HIPAA makes provisions against industry fraud, imposes nationwide standards for the electronic management of records, and consequently ensures that confidential information will be handled in the appropriate manner.

Medical Professionals Using The Cloud

However, technology has come a long way since the act’s initial passage 20 years ago. As a result, it’s now far easier to commit a HIPAA violation than you might think. Businesses working in or with the medical industry must take particular care when it comes to the cloud to avoid the hefty fines that come with such violations. When planning processes and acquiring tools to adhere to HIPAA rules, additional steps often need to be taken to ensure that security is not sacrificed for the sake of the cloud’s convenience.

The Third-Party Service Problem

The primary difficulty of integrating private information with the cloud is that most major cloud services (e.g. Dropbox) are not managed by medical professionals and they reserve the right to access files on hosted on their servers. Therefore, any Instance in which these third parties have access to confidential client information would constitute a violation of HIPAA.

There are a few potential solutions to this issue, the first being a Business Associate Agreement (BAA). In this case, the third-party service enters an agreement allowing them to act as the business associate of a medical professional, thus protecting client info and meeting HIPAA standards. Unfortunately, this can potentially increase the provider’s liability and mean penalties for them should a breach occur, which means they’re less likely to submit to such an agreement. (Apple, for example, refuses to sign the BAA that would make iCloud HIPAA-compliant.)

Here are some cloud services that will sign Business Associate Agreements:

  • Document Sharing Services:
    • Dropbox for Business
    • Box Enterprise & Elite
  • Cloud Based Business VoIP
    • RingCentral office
    • Jive
  • Online Fax Services
    • SRFax
    • SFax
    • FaxAge
  • Online Backup Services
    • Carbonite
    • iDrive Business and Enterprise

If a BAA isn’t available, another option is utilization of a third-party encryption app. These services encrypt files before they are uploaded to the cloud, rendering them unreadable by the cloud service provider. A little research can quickly turn up alternative encryption solutions to products you may already be using, such as CloudLock for Google Apps for Work. Another option is to invest in an entirely separate service, such as Tresorit, which provides encryption as well as additional features, such as the option to “unsend” or revoke access to mistakenly sent data. Encryption also protects against instances of hacking and lost devices (i.e. laptop, phone), which can be potential threats to client security.

Another option is to use a service that offers a HIPAA setting, which essentially encrypts the files in the way a third party application might and will typically remove other features that violate HIPAA like sending files through email. However, without a signed BAA from the vendor, any mishandling of the information would still be a HIPAA violation.

A Note on Email and Fax

Transmitting consumer information via email is a violation of HIPPA, which is why faxing is still very common in the medical industry. While online fax services (e.g. eFax) utilize cloud portals where faxes can be retrieved, they typically also email a copy to the recipient. This constitutes a violation of HIPAA. However, medical professionals can use online fax services that offer special features (often referred to as a HIPAA conduit) like file encryption and fax notification via email only. As mentioned above, a HIPAA conduit setting alone is not as strong of a liability protection as a signed BAA.

In Conclusion

In the conversation surrounding HIPAA compliance, it’s crucial to retain as much information as you can about the status and location of confidential information. As putting any data into the cloud means losing a degree of control, those interested in avoiding violations should know the identity of every person that has access to the information, where the service provider is located, and the exact nature and content of the data itself. The responsibility to ensure patient privacy is ultimately borne by the medical professional. If this includes using the cloud—and in this day and age, it probably does—be sure to plan accordingly.

By Leo Welder

Focusing on Online Gaming Security During Development

Online Gaming Security Infrastructure Updated article: June 2nd, 2020 There are millions of gamers around the globe and as of 2018, video games generated sales of US$134.9 billion annually worldwide. As video games continue to ...

How to Choose the Right Cloud Printing Solution for Your Business

Cloud Printing Business Solutions The demand for cloud printing is primarily driven by the overall organizational benefits of Software as a Service (SaaS) portfolio. The expectation of flexibility in workplace tools, of plug-and-play solutions for ...

Accessing (HPC) High Performance Computing

HPC in the Cloud Big data and Machine Learning (ML) can provide businesses with incredible insights and an innovative edge. However, to properly analyze the data collected or to train your ML models, you need ...

Episode 7: Haste Makes Waste: The Dangers of Rushing to the Cloud

Dangers of Rushing to the Cloud The pressure to accelerate your company’s plans to move to the public cloud is substantial. But it should never be taken lightly. It’s a democratized world far away from ...

Why Cloud Technology is a Smart Business Move for Higher Education

Higher Education Technology Cloud technology is not just for the world of big business. A growing number of higher education institutions are also embracing the cloud’s many advantages, especially for its data gathering and analytics ...

Why Remote Migrations are Essential for Business Continuity

Remote Business Continuity We are approaching a banner year for the cloud. The COVID-19 pandemic has highlighted the importance of cloud technology to enable resilience and business continuity, and it will be a critical time ...