Pre-, post-contract scrutiny of cloud EHR vendors a must for providers

Providers opting to use cloud-based electronic health record systems must scrutinize their vendors more now that the HIPAA omnibus rule makes clear that such vendors can be punished as business associates, according to James Koenig, privacy practice co-leader for PwC, who spoke at the sixth annual NIST/OCR HIPAA Security Rule Conference May 21 in Washington, D.C.

"Before you just trusted them," Koenig (pictured) said. "Now it's clear there's a deeper level of expectation and you need to review their practices."

According to Koenig, of 11 million people affected by security breaches over the past two years, more than half (55 percent) of those instances involved business associates. As more patient protected health information (PHI) is stored in the cloud, Koenig suggests that providers ask such vendors tough questions, including:

  • Where in the cloud is PHI located? Where are data centers located and how secure are they?
  • What is your incident response plan to minimize breach risks?
  • Is encryption being used to prevent breach notification obligations?
  • Who has access to the provider's PHI in the cloud and what controls do you have in place to prevent unauthorized access?
  • How do you segregate data of different providers to prevent "domino destruction" and "neighbor peeping"?
  • How do you dispose of the PHI at the end of the contract?

McKesson Director of Product Security Ted LeSueur, who presented with Koenig, added that providers also should audit cloud vendors after a contract is signed, since providers ultimately remain liable for breaches under HIPAA, as well.

To learn more:
- read the presentation slides (.pdf)