HIPAA Compliance: Why Cloud-Based EMR is Your Security Champ

At this point, I think it is safe to say that sensitive data—such as patient records—is more secure in digital storage (i.e., electronic medical records) than it is in filing cabinets (i.e., paper charts). Software Advice’s analysis on the US Department of Health and Human Services (HHS) 2011 HIPAA security violation report supports this observation. But data security—and therefore HIPAA compliance—isn’t as cut-and-dried as computer-versus-filing cabinet. In fact, paper isn’t even a contender in this discussion. When it comes to patient data and security in today’s medical landscape, the two duking it out are both digital—and cloud-based has run away with the title.

Cloud. Server. What’s the Difference?

In a cloud- or web-based system, the EMR stores your clinic’s data—which can include everything from patient records to schedules—within data centers. You can then access that data via the web. All you need is a web-enabled device with an Internet connection. In short, you don’t store your data on internal servers (e.g., the computers at your practice), and you access the EMR and everything that goes along with it through your web browser (e.g., Google Chrome, Mozilla Firefox, or Internet Explorer).

In contrast, server-based EMR systems require your practice to store all its data as well as the EMR software itself. This means you’d need a server, corresponding hardware, and an IT person or staff simply to maintain everything.

Why the Emphasis on Security?

The Health Insurance Portability and Accountability Act (HIPAA) is a beast, especially with the newly introduced Final Omnibus Rule. HIPAA decrees that all healthcare providers, insurers, and their business associates may only collect, share, or use a patient’s protected health information (PHI) via the act’s approved methods and only for the explicit purpose of furthering patient care. To put it succinctly: if you violate HIPAA, you—and your practice—are in a world of hurt. Thus, data security is paramount.

How is Cloud-Based More Secure?

As this ServerWatch article explains, cloud-based software providers built their systems from scratch with the web in mind. Thus, they have “security best practices planned for and built into the system from the ground up. This includes everything from the core cloud computing software platform to the processes that are put in place and the monitoring systems used to control them.” How does that translate to you, the user? As I mentioned above, cloud-based EMR systems use data centers to house all their—and thus, your—data. To ensure HIPAA compliance, these data centers must possess bank-level security and supreme encryption methods that render data unreadable—even if hackers somehow get to it.

Server-based EMR systems, on the other hand, often leave data unencrypted. Furthermore, your data is only as secure as the room housing those servers, which means in the unfortunate event of a robbery, fire, or natural disaster, your data is in peril. You’re also at risk for a HIPAA violation. Data centers, however, securely back up data to multiple locations, so in the event of a natural disaster or fire, your data is still safe. Data centers also protect from physical breaches, too. Take web-based physical therapy EMR, WebPT, for example. WebPT houses all its data at the HIPAA-compliant IO Data Center in Phoenix, which has digital video surveillance, biometric screening, round-the-clock guards, and a defensible perimeter.

ServerWatch points out that “One of the biggest security problems for many organizations is the insider threat—the risk that an employee with access to sensitive systems will use his [or her] access privileges to compromise security.” There is also the chance that the server-based software and the computer it’s housed on lack the security protocols necessary to truly ensure HIPAA compliance. Cloud-based EMR systems take all this off the table, though. Most systems provide unique user IDs and passwords for each user (think: therapists, assistants, front office staff), which allows your clinic’s admin or director to control access to your patients’ private information. To use WebPT as an example again, they use 256-bit SSL encryption for customer interfaces. And as a recipient of the TRUSTe Certified Privacy badge, WebPT employs strict password guidelines for customers to ensure login security.

And that’s how cloud-based EMR systems best server-based software when it comes to security and HIPAA compliance. Bottom line: Make sure you’re using an EMR system, and make sure that system is cloud-based. Of course, not all cloud-based EMR systems are created equal, so it’s crucial that you vet potential vendors. Here is a list of questions you can ask. Already using a cloud-based EMR system? Ask them the same questions to ensure they’re up to snuff. And I recommend addressing the security of your data sooner rather than later. After all, HIPAA compliance is definitely not something for the back burner, and cloud-based technology isn’t going anywhere. It’s more than the future; it’s the present. Even the CIA is moving all its data to the cloud—and they’re the CIA.