You know you’ve heard this term used, “The Cloud” is a favorite right now.
Salespeople use it to sound cool.
End users say it to sound cool.
Every web startup out there uses it to sound relevant.
For most practices, The Cloud can be used in two ways:
- You use a web based, software as a service (SaaS) EHR
- You store data via services like SugarSync, Dropbox, even iCloud
In the article Can You Trust the Cloud with Your Personal Data, some pros & cons of using The Cloud are discussed, and I’ve decided to take a few moments and put a HIPAA angle on this topic.
First, your EHR – if you use a SaaS based EHR, you are using the cloud. In theory all your data is backed up and secure, though you’ll want to double check what the fine print of your contract actually says.
Other office data – if you are using the cloud for anything that contains PHI, look out. Check with the service you are using to make 100% sure they are HIPAA compliant. Many are not. Also be sure to note this fact in your HIPAA policies.
So, let’s say your cloud provider is HIPAA compliant, all is well, correct?
Nope, there is one more place you can get tripped up – the naming of files.
For a cloud storage service to be HIPAA compliant, among other things, the data they store must be encrypted.
BUT – the file names are not encrypted.
For those who can’t quite remember the 18 items, here they are:
Data are “individually identifiable” if they include any of the 18 types of identifiers, listed below, for an individual or for the individual’s employer or family member, or if the provider or researcher is aware that the information could be used, either alone or in combination with other information, to identify an individual:
- Address (all geographic subdivisions smaller than state, including street address, city, county, zip code)
- All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death and exact age if over 89)
- Telephone numbers
- Fax number
- Email address
- Social Security number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate/license number
- Any vehicle or other device serial number
- Device identifiers or serial numbers
- Web URL
- Internet Protocol (IP) address numbers
- Finger or voice prints
- Photographic images
- Any other characteristic that could uniquely identify the individual
Really, the only acceptable way to name a file would be to use a randomly generated name. Though this process would work, it would also be challenging to keep track of everything.
What’s my point? Be smart, don’t get caught up with the feeling that you need a cloud.
Realize you can have your own internal secure cloud.
No matter what, be sure to document everything in your HIPAA policies.