Cloud Computing in Health Care: Overview of the Main Challenges
Wiley Rein partner Kirk Nahra's above-entitled article appeared in a recent issue of Data Protection Law & Policy. The following is a summary excerpt.
Technology and Health Care
Cost, efficiency and effectiveness create ongoing complexity for the health care industry. The latest new technology will fix or mitigate these problems, for the benefit of the health care system, individual patients and those paying for health care. But the regulatory system is getting in the way of this technology making this all work. If we could just let the technology work, everything would be well.
First, it was the Health Insurance Portability and Accountability Act (HIPAA) “standard transactions” rule. This idea—streamlined, uniform electronic transactions, fitting all shapes and sizes in the health care industry—would create enormous efficiencies and ease transaction costs. But it hasn't quite worked out that way. It cost a lot more to move to these standardized systems, and the regulatory challenges were substantial.
Next (and still underway) is the movement toward electronic health records. The idea was straightforward. If the industry could move toward electronic records, then we could achieve better care at lowers cost. But, again, it hasn't quite worked out that way. The costs of building these systems are higher, and the variety of state and federal privacy laws (as just one example) are getting in the way of building the system. So, while technology presents significant opportunities—including the rare possibility in the health care system of better care and lower costs—we haven't yet seen these opportunities come to fruition.
The latest technological opportunity comes through the use of cloud computing. As the concept of cloud computing has rapidly moved onto the scene, businesses across all industries have moved swiftly (and some would argue recklessly) to take advantage of “the cloud,” often without fully realizing the hidden risks associated with this movement because of the immediate lure of visible cost savings. The health care industry (as it often is) has been slow to take advantage of the technological opportunities presented by the cloud, but the issues with cloud computing go deeper than this general technological reluctance. Two primary issues seem to be driving the debate in the health care industry.
Data Security and Availability
The first issue involves the security of data provided to the cloud. The health care industry—as well as its service providers—must follow the HIPAA Security Rule, which contains a detailed set of security procedures and protocols, along with specific contractual requirements. At the same time, the implementation of the Health Information Technology for Economic and Clinical Health (HITECH) security breach notification rule (along with related enforcement and an enormous number of security breaches involving health care data) have placed an intense focus on protecting the security of health care data.
This leads to specific and understandable security concerns about cloud services, based on both a fear of the unknown and complexity as to how the Security Rule requirements translate to the cloud environment. And many cloud service providers have not helped their cause in the health care industry by (a) being vague, confusing and often unresponsive in describing and explaining information security controls; (b) often refusing to take responsibility for security breaches; and (c) in some instances, even refusing to acknowledge HIPAA obligations as a business associate or engage in any discussions or negotiations about required contract contents.
Related to security is an important second challenge—the idea of “availability” of the data. Health care providers need access to patient data all the time, immediately and reliably. While the cloud often provides this, there remain concerns about accessibility of data on an automatic basis, with consistent reliability. And, where health care providers are concerned about this reliability, they either will refuse to use the cloud or will find a need to build redundant systems, thereby reducing or eliminating the cost benefits of the cloud.
The cloud will grow in health care—but perhaps slowly and only if cloud providers are willing to adapt their approach to the unique challenges of the health care environment. Unlike some other technology developments (such as electronic health records) that were premised on “win-win” situations, where costs could go down and treatment could improve, the balance here is trickier. The only benefit is lower cost. There isn't (yet?) an argument that privacy and security will be better in the cloud. It is only a question (as of now) as to how much worse they are, and whether that “worse” is worth the cost savings. Until the privacy and security safeguards can affect this balance, we are likely to see only a small movement in cloud options in the near term.