This is for the paranoid out there, and if you are a physician, you need to be paranoid about how your practice handles patient health information (PHI).
Cloud computing is the hip, in-thing right now.
Cloud storage is where things can get tricky…note: you better have a HIPAA office policy on this matter.
What is Cloud Storage?
At its most basic level, cloud storage makes it very easy to share documents among staff and computers by creating a “virtual hard drive” that many people can access.
Google’s version of cloud storage is called Google Drive.
Whether or not you believe Google is trying to take over the world by having as much knowledge as possible, you can’t ignore some recent issues.
First, let me say this: You should not store any PHI in a system like Google Drive. Also, I don’t think it is smart business either.
So, What is the Problem?
The real problem is the creeping of privacy guidelines by Google. What starts as “we don’t look at your data” over time becomes something quite different.
Take for example this latest bit of info: Google is currently going through more drama about gathering personal information. This current hoo-ha is based around the issue that when Google’s cars that drive around the world mapping everything, they also connect to unsecured WiFi networks and gather whatever data they can.
So, now you want to store your business information on Google hard drives?
Bad idea for HIPAA compliance.
Not a smart business decision.
But my EHR is Cloud Based
Apples & Oranges my friend. The fact that your electronic health records (EHR) system is cloud based – also called web-based or Software as a Service (SaaS) is completely different. Though, something to realize – many free EHRs will mine your patient data. This may not be anything you really care about, but de-personalized patient health information (PHI) can be quite valuable for research. Many physicians who have a server based EHR get paid to allow research institutions to mine their patient data.
What About Off Site Backup?
Also different….usually. If you are using an off site backup service, you must ensure they are HIPAA compliant. No data should leave your property that isn’t completely encrypted – this also prevents unwanted data mining.
The moral of this story is, the easiest solution tends NOT to be HIPAA compliant.