As hospitals and healthcare facilities continue to adopt electronic tools to store and share patient data, some are turning to cloud-based tools to meet their needs. What that means for privacy and protection still is up for debate, as evidenced in the tone of a discussion panel at last week's Health Privacy Summit in Washington, D.C.
"When data is managed or stored in-house [by a provider], there's a very clear responsibility of one company" to protect that data, Adrian Gropper, chief technology officer for Patient Privacy Rights, the non-porofit organization that hoted the event, said. "The cloud blurs that distinction--sometimes intentionally."
John McDaniel, healthcare CIO at Sunnyvale, Calif.-based NetApp, a computer storage and data management company, made a strong case in favor of cloud use in healthcare, saying that he thinks within the next few years, cloud-based service will be more the norm rather than the exception.
"If you look at where the cloud is going, it's projecting to be a $200 billion market in the next several years," McDaniel said. "No longer as an industry can we afford to spend $200 million on electronic health records. I think you're going to see more [EHR] vendors going to the cloud, and a majority of health information exchanges will be cloud based, as well."
However, Maneesha Mithal, associate director of the Division of Privacy and Identity Protection with the Federal Trade Commission's Bureau of Consumer Protection, pointed out that privacy protection for cloud-stored information will be no easy task. There are several different kinds of cloud models, she said--hospital cloud models, personal applications and direct storage of data, for instance--with each one boasting a different legal framework.
"There are lots of ways direct-to-consumer entities are collecting data not applicable to HIPAA," Mithal said. "It's not exactly the Wild West, but … HIPAA has a very clear de-identification standard. The FTC's standards for de-identification are different."
According to Mithal, the FTC's standards are based on three criteria, including:
- That an organization takes reasonable steps to de-identify protected data
- That an organization announces that re-identification of data will not occur
- That an organization promises to not contract with entities that will re-identify data
At the 20th National HIPAA Summit in March 2012, attorneys raised the red flag on security issues with cloud-based electronic health record systems, with one pointing out that in such a setup, healthcare information is stored, used and analyzed remotely from the users, and accessed online. "It's going somewhere you don't know," attorney Howard Burde said.