Concerns With Cloud-based EMR Systems

Posted By American Med Spa Association, Thursday, June 18, 2015

By Michael J. Sacopulos, CEO, Medical Risk Institute
The dispute between a small Maine practice and its cloud-based Electronic Medical Records (EMR) provider had been festering for months. The practice complained that the system lacked the key functionality and did not perform adequately. The Software as a Service (SaaS) provider argued that the practice was delinquent on payments and had not gone through proper training on the system. As patience and civility waned, hostility and rhetoric escalated. Then one morning the practice powered up their computer only to find that they had been cut off from their own patient’s records. The EMR provider had just played the trump card.
The Maine practice is not alone. I recently got a call from an Alabama practice “Our EMR company is extorting us! Unless we pay them, they are going to block us from our own patients’ charts.” Then there was the call from an IT firm hosting the Illinois surgical practice’s charts.” “They (the medical practice) wants out of the contract, but I have their data. They aren’t going anywhere.” Once your patients’ data is on someone else’s server, your practice has a number of potential risks and compliance issues.
The legal and ethical consequences of placing your practice’s patient data on someone else’s server are significant. Contractual disputes do not relieve a practice of its legal obligations to maintain and store patient charts. Beyond legal requirements, there are issues of patient care and safety. It takes little imagination to envision patient harm and a subsequent malpractice claim arising from a chart held ransom.
Risk Analysis
EMR firms that offer SaaS or cloud-based services seem seductively simple. Who would not want to outsource as many IT issues as possible? Ironically, cloud-based EMR providers may increase complexity for the practice in the long run. One area where we see this is the routine Risk Analysis.
A Risk Analysis is required to be performed under Federal law. The report generated by this analysis is designed to analyze the physical and electronic security of patient data. This task is much more difficult to do if a third-party holds the patient data. If the practice has its server in the house, these security questions and dozens more are much easier to answer.
If the practice has its server in the house, these security questions and dozens more are much easier to answer. But the complexities of cloud-based EMR systems don’t end there.

A server beyond your control can limit options and make risk analyses more difficult. .In the event of a data
breach, it is often difficult to have a forensic exam of a cloud-based system. Another related issue is patient data housed on servers outside the jurisdiction of the United States. Once your patients’ data has emigrated, it is beyond the reach of our government and legal system thus removing layers of systemic protection.
Business Associates

U.S. Department of Health and Human Services has made clear that cloud-based EMR providers are Business Associates under the law. According to HHS, “A software company that hosts the software containing patient information on its server…. is a business associate.” Under the Omnibus Rule of 2013, Business Associates come under the jurisdiction of the Federal government and must comply with certain patient privacy standards. These compliance standards are meaningless outside of the United States. The geographic location of patient data is such a concern that some health systems prohibit their patients’ data from resting outside the United States.

Cyber Risks and Patient Concerns

Patients have grown increasingly concerned about the safety of their health data. A study conducted four years ago reported approximately 13% of patients withheld personal health information from their physician due to data security concerns. A recent study has shown that number to now be 21%. Perhaps this is in reaction to the 72% rise in healthcare cyber-attacks from 2013 to 2014. Over that same period, medical identity theft increased 22%. The public has legitimate fear for the security of patients’ health data.

Woe is the medical practice that has a data breach. Research shows a majority of patients (54%) will be “moderately” or “very likely” to change doctors as a result of a patient data breach. Additionally, the costs associated with such a breach can be $130.00 per patient or more to address the breach. Financial and business exposure of such magnitude argues for tight control and oversight, not outsourcing.
An Example of a Cloud-Based Problem in Aesthetic Medicine
Several years ago the Division of Plastic and Reconstructive Surgery at Oregon Health and Science University had a cloud-based breach of patient data. Residents of the program were using internet-based services to maintain a spreadsheet of patients. The internet-based providers had terms of service that stated stored data could be used for the “purpose of operating, promoting, and improving [its] services…“ Although there was no evidence that patient data had been accessed inappropriately, 3044 patients none the less had to be informed of the potential exposure of their protected health information. The cloud-based providers terms of use triggered this unfortunate situation for OHSU.
While cloud-based, or SaaS, electronic medical record systems provide some benefits and convenience, their associated risks are often overlooked and underestimated. Documenting HIPAA and HITECH Act compliance becomes more complicated with cloud-based EMR systems. Once your patients’ data has been migrated to another entity’s server, there is often less control over its location and storage. This lack of control can be problematic in the event of a breach. Unfortunately, as health data breaches continue to grow in frequency and magnitude, patients are becoming more sensitive to the cyber security of their health information. This has resulted in the disturbing trend of some patients withholding personal health data from their physicians. Here we cross the line separating compliance from patient safety. Every effort needs to be made to assure patients about the safety of their health information. This may be difficult to do if the information is being uploaded to and housed upon a remote, multi-user cloud-based server. Ironically, the touted benefits of cloud-based EMR systems may ultimately trigger compliance and patient safety concerns and harm.
Michael J. Sacopulos is the CEO of Medical Risk Institute (MRI) and serves as General Counsel for Medical Justice Services, a 4,000 member group with physicians in all 50 states. Medical Risk Institute provides proactive counsel to the healthcare community to identify where liability risks originate, and to reduce or remove these risks. In 2012, Michael won the Edward B. Stevens Article of the Year Award for MGMA and had a Top 10 article of 2014 on Medscape. He has recently been named the Executive Vice President of the Aesthetic Stem Cell Society. Additionally he has written for the Wall Street
Journal, Forbes, Bloomberg and many other publications for the medical profession. He is a frequent national speaker and has appeared on Fox Business News. He attended Harvard College, London School of Economics and Indiana University/ Purdue University School of Law. He may be reached at