Liles Parker PLLC
(202) 298-8750 (800) 475-1906
Washington, DC | Houston, TX
San Antonio, TX | Baton Rouge, LA

We Defend Healthcare Providers Nationwide in Audits & Investigations

The Cloud Storage of Medical Records Presents a Number of Risks

Cloud storage of medical records presents a number of risks.(July 3, 2014): The growing trend of storing all kinds of data in the cloud comes with benefits and risks. However, when it comes to storing medical records in to the cloud, patient privacy becomes a special concern.  With a properly implemented cloud storage system, hospitals can share information far more efficiently. Prescriptions and test results are immediately available between hospital departments and floors that previously had ineffective communication networks. This way, tasks can be processed more quickly and performance and overall patient health are improved. Another benefit of storing medical records in the cloud is that doctors are not tied to their offices to look up patient information, as they can pull up medical records remotely. Also, when a patient moves to a new doctor, their files can be transferred with far less hassle. Finally, cloud computing has proven cost-effective for patients and healthcare providers, as the patients do not have to pay twice for the same test when they go to different doctors and medical offices.

I.  Risks Encountered When Relying on Cloud Storage of Medical Records:

While storing medical records digitally on the cloud may offer great promise for increasing the efficiency of the health care system, the cloud is not necessarily as secure as other forms of storage. Data security and privacy of health information are major obstacles. If a medical provider loses control of patient data, privacy could be endangered.  The basic rules for how the American medical industry handles private data are in the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). Many argue however that just because something is HIPAA and HITECH compliant does not necessarily mean it is secure.

  • Hackers

The headline for a year-long Washington Post examination released in December 2012 called the health care sector “vulnerable to hackers.” A computer scientist and technical director of the Information Security Institute at Johns Hopkins University, was quoted as saying, “I have never seen an industry with more gaping security holes.”  In 2012, Eastern European hackers broke into Utah’s state health records database, gaining access to personal information on 780,000 patients including some 280,000 social security numbers.

  • Human Error

Like so many other problems, medical privacy in the cloud often comes down to human error. Encrypted data is only safe if the required passwords are well protected, and that requires well-trained and conscientious employees. There have been several instances where employees maliciously stole data before leaving a company or absent-mindedly put data at risk by storing files on mobile devices that become lost or stolen. A couple of years ago, a contractor for a University hospital lost a laptop with medical records of more than 34,000 patients. Last fall, a stolen unencrypted laptop from a California hospital exposed medical records of 250,000 patients.

Physicians and their staff are not the only ones who could be at fault. Employees of other companies using the same cloud service could also make a mistake, cause a data breach, or even intentionally steal or sell information stored on the cloud. A virus or other malicious program could potentially spread from one client’s office to the cloud server, and from there to other offices.

Finally, if a medical provider closes his practice, medical records stored on the cloud could be lost or at risk. If the provider does not keep a local backup, vital information may be compromised.

II.  Final Remarks:

It is critically important for health care providers choosing to store medical records in the cloud to implement policies and training requirements to protect the privacy of patients. Providers should go beyond the requirements of HIPAA and HITECH to ensure adequate measures are taken to avoid being hacked, to prevent and fix human errors, and to keep up with technological advancements and threats.

Healthcare Lawyer

Robert W. Liles, Esq., serves as Managing Partner at Liles Parker, Attorneys & Counselors at Law.  Liles Parker attorneys represent health care providers around the country in connection with both regulatory and transactional legal projects. For a free consultation, call Robert at: 1 (800) 475-1906.

Physician Office OSHA Standards Present a Number of Compliance Challenges

Physician Office OSHA Standards Can be Quite Complex(July 2, 2014): The Occupational Safety and Health Administration (OSHA) is an agency of the United Stated Department of Labor. Its purpose is assure safe and healthy working conditions for all working men and women by setting and enforcing standards and by providing education, training, outreach, and assistance. OSHA creates standards and guidelines that apply to every workplace in the country, including medical offices. Physicians and staff should regularly receive training and review office policies and procedures to be sure that they are in compliance with all required federal regulations, including those OSHA sets forth. For physicians, whether certain protocols and procedures apply to them will depend on their practice type and who they serve. However, there are certain physician office OSHA standards that will apply to any medical office, and these are listed below. The standards cited most frequently in physician office inspections are bloodborne pathogens and hazard communication. Less frequently cited standards are sanitation, mean of egress, personal protective equipment, respiratory protection, and medical services and first aid.

I.  Bloodborne Pathogens Standard:

Some basic requirements of the OSHA Bloodborne Pathogens standard include:

  • A written exposure control plan that needs to be updated annually.
  • Consideration, implementation, and use of safer engineered needles and sharps.
  • Use appropriate personal protective equipment.
  • Hepatitis B Vaccine (HBV) provided to exposed employees at no cost.
  • Medical follow-up in the event of an “exposure incident.”
  • Use of labels or color-coding for items such as sharps disposal boxes, containers for regulated waste, contaminated laundry, and certain specimens.
  • Employee training at the time of initial employment and at least annually thereafter.
  • Proper containment of all regulated waste.

Because of turnover and expense considerations, some practices wait until after the new-employee probation period to offer the HBV. This is one of the more frequent cited bloodborne pathogen violations found during OSHA inspections, and the average initial fine is $1,717. Waiting to administer HBV is not complaint unless the new-employee probation period is only 10 working days.

II. Hazard Communication Standard:

The hazard communication standard is sometimes called the “employee right-to-know” standard. It requires employee access to hazard information. The basic requirements include:

  • A written hazard communication program.
  • A list of hazardous chemicals used or stored in the office.
  • A copy of the Material Safety Data Sheet (MSDS) for each chemical used or stored in the office.
  • Employee training at hiring and whenever the employer introduces new physical or health hazards into the workplace.

An office does not need MSDSs for household products used in the workplace as long as employees use the product for the same duration and frequency as the typical consumer.

III. Ionizing Radiation Standards:

This standard applies to facilities that have an x-ray machine and requires the following:

  • A survey of the types of radiation used in the facility, including x-rays.
  • Restricted areas to limit employee exposures.
  • Employees working in restricted areas must wear personal radiation monitors.
  • Caution signs in and on rooms and equipment.

IV.  Electrical Standards:

OSHA electrical standards apply to electrical equipment and wiring in hazardous locations. These standards address electrical safety requirements to safeguard employees. For example, if a practice uses flammable gases, they may need special wiring and equipment installation.

V. Medical Records – Laws and Confidentiality Standards:

It is critical that physicians understand the regulations surrounding medical records. Most physicians and their staff are familiar with laws that affect information collected in medical records, including the Health Insurance Portability and Accountability Act (HIPAA) and the Americans with Disabilities Act Amendments Act (ADAAA). Individual states also have laws about the privacy and confidentiality of personal medical records.

OSHA has its own requirements for medical records. This provision requires employers to retain occupational medical and exposure records for 30 years after termination of a worker. The purpose of this requirement is to provide access to the records for employees and their representatives after a worker has left employment. Employers must give employees access to these records at no cost to them within 15 days of the request.

VI.  Other Physician Office OSHA Standards and Considerations:

In addition to the standards discussed above, physicians must identify all chemical, biological, chemical, physical, ergonomic and psychological occupational health hazards. They must know and follow applicable state and local regulations related to issues such as pharmaceutical and vaccine storage and medical waste. Physicians must also be familiar with the screening protocols and procedures and calibration requirements for equipment, such as spirometers and audiometers.  These are only a number of physician office OSHA standards that pertain specifically to medical environments. Physicians must review (or create) policies and procedures to assure compliance with all OSHA standards as well as compliance with other certification and licensing bodies. 

VII.  Final Remarks:

OSHA regulations must be implemented in every physician’s office. OSHA may perform random compliance audits, and the fines for willful negligence are steep. Physicians need to ensure their practices are in compliance with OSHA on all standards, and that they maintain an OSHA manual, poster, and all other required documentation.

Robert W. Liles, Esq., serves as Managing Partner at Liles Parker, Attorneys & Counselors at Law.  Liles Parker attorneys represent health care providers around the country in connection with both regulatory and transactional legal projects. For a free consultation, call Robert at:  1 (800) 475-1906.