Medical Professionals Face Unique Challenges Online

Medical Professionals Using The Cloud

The presence and value of Cloud tools have seeped into virtually every industry, and the medical profession is certainly no exception. However, because of the special rules regarding patient privacy, specifically those found in HIPAA, people handling patient information must follow specific guidelines that in many cases, are violated by standard cloud services. Of course many services claim HIPAA compliance in order to attract healthcare clients, however, an approved “HIPAA certification” doesn’t exist for cloud services. Therefore, it is important for people working in the medical industry to be aware of the rules and options when utilizing the Cloud for their business.

All medical professionals (and most people who’ve been to the doctor) are familiar with HIPAA, but to lay a foundation for this article, here is a little background. Congress passed the health Insurance Portability and Accountability Act back in 1996. You have HIPAA to thank for the enforcement of privacy standards (Infographic below by Cardigm)   that protect your personal health records (as well as health insurance portability, though the focus of this article will be the former). HIPAA makes provisions against industry fraud, imposes nationwide standards for the electronic management of records, and consequently ensures that confidential information will be handled in the appropriate manner.

Medical Professionals Using The Cloud

However, technology has come a long way since the act’s initial passage 20 years ago. As a result, it’s now far easier to commit a HIPAA violation than you might think. Businesses working in or with the medical industry must take particular care when it comes to the cloud to avoid the hefty fines that come with such violations. When planning processes and acquiring tools to adhere to HIPAA rules, additional steps often need to be taken to ensure that security is not sacrificed for the sake of the cloud’s convenience.

The Third-Party Service Problem

The primary difficulty of integrating private information with the cloud is that most major cloud services (e.g. Dropbox) are not managed by medical professionals and they reserve the right to access files on hosted on their servers. Therefore, any Instance in which these third parties have access to confidential client information would constitute a violation of HIPAA.

There are a few potential solutions to this issue, the first being a Business Associate Agreement (BAA). In this case, the third-party service enters an agreement allowing them to act as the business associate of a medical professional, thus protecting client info and meeting HIPAA standards. Unfortunately, this can potentially increase the provider’s liability and mean penalties for them should a breach occur, which means they’re less likely to submit to such an agreement. (Apple, for example, refuses to sign the BAA that would make iCloud HIPAA-compliant.)

Here are some cloud services that will sign Business Associate Agreements:

  • Document Sharing Services:
    • Dropbox for Business
    • Box Enterprise & Elite
  • Cloud Based Business VoIP
    • RingCentral office
    • Jive
  • Online Fax Services
    • SRFax
    • SFax
    • FaxAge
  • Online Backup Services
    • Carbonite
    • iDrive Business and Enterprise

If a BAA isn’t available, another option is utilization of a third-party encryption app. These services encrypt files before they are uploaded to the cloud, rendering them unreadable by the cloud service provider. A little research can quickly turn up alternative encryption solutions to products you may already be using, such as CloudLock for Google Apps for Work. Another option is to invest in an entirely separate service, such as Tresorit, which provides encryption as well as additional features, such as the option to “unsend” or revoke access to mistakenly sent data. Encryption also protects against instances of hacking and lost devices (i.e. laptop, phone), which can be potential threats to client security.

Another option is to use a service that offers a HIPAA setting, which essentially encrypts the files in the way a third party application might and will typically remove other features that violate HIPAA like sending files through email. However, without a signed BAA from the vendor, any mishandling of the information would still be a HIPAA violation.

A Note on Email and Fax

Transmitting consumer information via email is a violation of HIPPA, which is why faxing is still very common in the medical industry. While online fax services (e.g. eFax) utilize cloud portals where faxes can be retrieved, they typically also email a copy to the recipient. This constitutes a violation of HIPAA. However, medical professionals can use online fax services that offer special features (often referred to as a HIPAA conduit) like file encryption and fax notification via email only. As mentioned above, a HIPAA conduit setting alone is not as strong of a liability protection as a signed BAA.

In Conclusion

In the conversation surrounding HIPAA compliance, it’s crucial to retain as much information as you can about the status and location of confidential information. As putting any data into the cloud means losing a degree of control, those interested in avoiding violations should know the identity of every person that has access to the information, where the service provider is located, and the exact nature and content of the data itself. The responsibility to ensure patient privacy is ultimately borne by the medical professional. If this includes using the cloud—and in this day and age, it probably does—be sure to plan accordingly.

By Leo Welder

Alex Tkatch

Dare to Innovate: 3 Best Practices for Designing and Executing a New Product Launch

Best Practices for Designing and Executing a Product Launch Nothing in entrepreneurial life is more exciting, frustrating, time-consuming and uncertain than launching a new product. Creating something new and different can be exhilarating, assuming everything ...
Gary Bernstein

5 Popular Telemedicine Software Services

Telemedicine Software Since the beginning of the Covid-19 pandemic, telemedicine software services have become extremely popular, and every day more people are using this service instead of going to hospitals and emergency departments as they ...
Trading view

Notable Stock Screeners for 2021

Stock Screeners By this point, you probably already heard about everything that happened with GameStop (GME) stocks. GameStop is the largest video game retailer with 5,000 stores around the U.S. Due to the pandemic, the ...
Martin Mendelsohn

The Growth of Third Party Risk Management (TPRM) Firms

Cybersecurity and the Continued Risks Back in the day, we played cops and robbers with sticks and plastic squirt guns.  Sometimes you were pursued, at other times you were the pursuer.  There wasn’t much more ...
Business Voip

Cloud Governance Best Practices & How “Legacy Governance” Hurts

Cloud Governance Best Practices The cloud can provide your organization with substantial benefits -- if you adopt an effective cloud governance model. Businesses established before the cloud era (or those that took their IT governance ...