Cloud

Avoid Cloud HIPAA Breaches like OHSU’s with Azure or Office 365

Healthcare IT News’ Erin McCann recently reported that Oregon Health & Science University had to again notify patients that their protected health information had been compromised.  From Erin’s post

The Oregon Health & Science University has notified 3,044 patients that their protected health information has been compromised after several residents and physicians-in-training inappropriately used Google cloud services to maintain a spreadsheet of patient data.
The Google cloud Internet-based service provider is not an OHSU business associate with a contractual agreement to use or store OHSU patient health information, according to officials.
This is OHSU’s fourth big HIPAA breach since 2009 and third big breach just in the past two years, according to data from the Department of Health and Human Services. 
The data for the majority of the patients compromised included patient names, medical record numbers, ages, provider names, diagnoses and dates of service. For 731 of those patients, the data also included addresses. 
[See also: Third big HIPAA breach for OHSU.]
This past May, an OHSU official discovered residents and physicians-in-training within the Division of Plastic and Reconstructive Surgery were using cloud services to maintain a spreadsheet of patients. Their intent, according to an OHSU notice, was to provide each other accurate information about who was admitted to the hospital under the care of their division.
Upon learning of the incident, OHSU information privacy and security officials launched an investigation to the information stored, who was impacted and the likelihood that disclosure of the information could cause harm to the patients involved. This investigation led to the discovery of a similar practice in the Department of Urology and in Kidney Transplant Services. After weeks spent reconstructing the data, officials discovered 3,044 patients admitted to the hospital between Jan. 1, 2011, and July 3, 2013, were affected.

It continues to be a surprise to me that healthcare providers would take risks like this especially when there are cloud based options where a BAA is available.  Microsoft’s Windows Azure and Office 365 are cloud based services that offer Business Associates Agreement (BAA) availability.
 
The Perficient team recently helped a hospital to move from a Google based solution to Office 365 and SharePoint Online to address HIPAA compliance and other needs.  That hospital experiences more than 315,000 patient encounters for inpatient and outpatient medical care and community programs each year and had been using Google Apps for the past few years.  They needed to find a new solution for mail, calendar, and contacts that was HIPAA compliant. In addition, they needed the solution to provide eDiscovery and data loss prevention.
 
Office 365 offered the perfect solution in this case.  With better enterprise security, which the hospital needed, and important features such as archiving and enabling administrative staff to manage multiple calendars and mailboxes not to mention BAA availability to address HIPAA compliance related concerns. Using Office 365, the hospital has improved mobile device security, where a lost device can be wiped clean, and can also prevent employees from forwarding mail to outside email accounts.
 
Perficient also assisted the hospital with a move from Google Docs to SharePoint Online. This migration allowed the client to take advantage of the business necessity to replace Google Docs/Google Sites through the strategic deployment of key features to improve communication and collaboration at the hospital. By leveraging Office 365 for mail, collaboration, and instant messaging, the hospital will eliminate other sharing services currently being used and further reduce costs.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Liza Sisler

I am passionate about connecting people and information and fascinated by the evolution of social business solutions and cloud adoption. I currently lead Perficient's Partner & Industry Marketing team and am fortunate to work with incredibly talented people sharing the stories, accomplishments and insights of the Perficient team.

More from this Author

Subscribe to the Weekly Blog Digest:

Sign Up
Follow Us
TwitterLinkedinFacebookYoutubeInstagram