How to Share Electronic Health Record (EHR) Information Securely When Working in the Cloud

When patients see their doctors, it is not uncommon for them to be referred to a specialist to better address concerns. For the specialist to assist a new patient, electronic health record (EHR) information must be exchanged between the referring practitioner and the new one. This can be risky considering the threat of EHR security breaches during the exchange process. In addition, in the United States, healthcare practitioners must only exchange EHR information using approved transfer methods outlined by the Health Insurance Portability and Accountability Act (HIPAA). Failure to do so can result in steep fines for EHR and HIPAA violations.

According to data provided by Entrepreneur, hybrid cloud deployment in the healthcare industry is expected to reach 37% in 2021. That is up from 19% in 2019. With more healthcare organizations adopting cloud technology, it is reasonable to imagine that there will be a spike in data being shared electronically between practitioners within and outside of a particular organization. So, before you get started, continue reading to find out how to securely share EHR information as part of cloud-based EHR security.

A HIPAA Refresher

In case you are in need of a simple reminder, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that requires the creation of national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge.

What are the transfer and storage problems with electronic health records?

When it comes to the transfer of EHR information, doing it securely should be one of the most important considerations of any healthcare practitioner. Not just due to the threat of fines, but also for the integrity of the information being sent. According to HealthIT.gov, a CE (Covered Entity) may only use or disclose EHR information if either (1) the HIPAA Privacy Rule specifically permits or requires it; or (2) the individual who is the subject of the information provides a written authorization.

EHR information is some of the most valuable data available to hackers on the black market. Many cyber criminals prefer it to credit card data due to the amount they can receive from health insurance fraud claims. Storing data in the cloud can offer up substantial benefits when it comes to both productivity and security. It gives users the ability to access data across devices while eliminating the costs of maintaining physical infrastructure. Cloud service also allows data to be stored across multiple locations. This can be beneficial in scenarios where there is a power outage, theft, fire, or other natural disaster. Although storing data in the cloud offers up several benefits, it can also present some complex challenges. Healthcare practitioners are essentially trusting cloud service providers to implement EHR security measures by performing updates and manage EHR data security on their behalf. Insider threats can also be an oversight for businesses and other organizations.

Many cloud providers allow you to share access to your online folders. A couple of tips to remember:

• Your data should always be encrypted when being uploaded to or downloaded from the cloud
• Check to see if your cloud software requires an encrypted connection before transferring data to it. This can be helpful if you are forgetful

Ready to transfer files securely? Ensure you have the following in order:

• Assign unique user IDs (required): Individuals who transfer files must be assigned a unique identifier. This can be an SSH key or a username. This is to help in tracking each user's activity
• Encryption and decryption of EHR information (addressable): Data being transferred must be encrypted. This will ensure that if it ends up in the 'wrong hands' it can be rendered useless
• Audit controls (required): Ensure that hardware, software, or other procedural mechanisms are built into the cloud software for recording and analyzing information systems that contain or utilize EHR information
• Integrity controls (required): Your file transfer system must have a way to ensure that data sent is the same as data received (i.e. they were not tampered with)
• Person or entity authentication (required): There must be a procedure in place to ensure that any person or entity seeking access to EHR information is who they say they are
• Automatic Logoff (required): Any device used to send or receive EHR information must have an automatic logoff feature after a period of inactivity. This would be used to prevent unauthorized access to EHR information when a device is left unattended

Is Text-Messaging HIPAA Compliant?

The short answer is no. HIPAA does not mention SMS text messaging as a permitted form of communication. Due to the nature of the technology, it is technically not allowed in most cases. There are a few exceptions which we will go through in more detail below.

When looking to send EHR information, the best way to do this is by using a secure messaging solution. Often, these are web-based applications that create a communications network exclusively for use by authorized employees within a healthcare setting.

• Doctor to patient contact: If a covered entity would like to text a patient their EHR information, they can do so as long as the patient has been made aware of the potential EHR privacy and security issues and agrees to communicate using this platform. Both the warning and consent must be documented
• Natural disasters: The U.S. Department of Health and Human Services could waive rules, such as those that surround HIPAA compliant messaging during a time of a natural disaster like a hurricane, earthquake, or other related crisis
• HIPAA compliant messaging application: If a covered entity implements a secure messaging solution that works on mobile devices, then this would be allowable under HIPAA rules. The main trait of a compliant messaging system would be data encryption

What are the penalties associated with EHR and HIPAA violations?

Sharing EHR information from a cloud to an end user can be a simple process. Ensuring it is HIPAA compliant from start to finish can be tricky. Ensuring you have the correct process in place can help your organization avoid hefty penalties.

When an organization is cited for a HIPAA violation, penalties are not just financial in nature, but also require covered entities to take corrective action. This means new policies and procedures must be adopted to avoid future instances, while also meeting the rigorous standards of HIPAA. This applies to healthcare providers, covered entities and business associates (BAs) of covered entities. It is important to remember that punishment under HIPAA rules can also apply when an organization fails to provide the correct notification of breach or misuse.

According to HIPAA Journal, there are four violation tiers with associated fines for each.

• Tier 1: Constitutes a violation that a covered entity was not aware of and could not have been easily avoided. The covered entity had taken all of the necessary precautions to avoid such violation and were abiding by all HIPAA guidelines.
  • Minimum fine = $100 per violation up to $50,000
• Tier 2: Constitutes a violation that a covered entity should have been aware of but was still difficult to avoid. They are following HIPAA guidelines and did not willfully neglect them causing the violation.
  • Minimum fine = $1,000 per violation up to $50,000
• Tier 3: Constitutes a violation created due to a wilful neglect of HIPAA rules. In this case, the covered entity was attempting to correct the issue after it occurred.
  • Minimum fine = $10,000 per violation up to $50,000
• Tier 4: Constitutes a violation created due to a wilful neglect of HIPAA rules. The covered entity has made no attempt to correct the issue throughout the process.
  • Minimum fine = $50,000 per violation

Based on the descriptions of non-compliance tiers and fines above, it would be reasonable to imagine that misuse of HIPAA rules regarding the sharing of EHR information via the cloud would fall under a tier 3 or 4 offense. For a visual look at HIPAA violations and corresponding fines, see the image below.

Giva's HIPAA compliant solution brings you peace of mind

In simple terms, Giva makes HIPAA compliance simple. When it comes to sharing data, Giva's HIPAA-compliant cloud solutions offer up the following benefits to assist in keeping data safe.

• Data encryption
• Network access controls
• Logging

Although these are important to remain compliant when sharing data via the cloud, there are also other ways Giva can help you to be both compliant and efficient when working in the cloud. You can learn more and even sign up for a free 30-day trial to see the difference for yourself.