The privacy of patients’ medical records has been protected by federal law since the mid-1990s, but two Seton Hall School of Law faculty members are concerned that the rise of cloud computing poses new threats to the security of these records.
In a new paper, Frank Pasquale and Tara Adams Ragone argue that regulators need to examine whether further action is needed to secure records stored on remote Internet servers.
In particular, they say, the agreements between medical providers like doctor offices and major vendors need to include assurances that cloud computing companies will be liable for protecting the records.
“When you have the protected health information stored in a central location, hackers will want to go in, (and) will attack the treasure trove,” said Ragone, a research fellow and lecturer. “People have to have that information protected and not out into the public.”
Pasquale, a professor, said the paper arose from his long-term interests in both the legal issues raised by cloud computing and the increasingly important role of electronic health records.
Pasquale said that existing information technology firms have wanted to treat medical records in the same way that they treat all other records stored on their servers. But due to the 1996 Health Insurance Portability and Accountability Act (HIPAA), companies whose services are used to store health records must also make sure the information is secure, he said.
“They want to disclaim all liability,” pushing all of it onto medical providers, Pasquale said of the IT firms.
The issue affects companies ranging from regional vendors that medical providers hire to develop electronic health records to global giants like Google and Yahoo whose services are used for cloud computing.
The U.S. Department of Health and Human Services already has taken steps to ensure that doctors write into their contracts with vendors that both are responsible for monitoring the records’ security, Pasquale said. But negotiating these agreements can be a challenge for healthcare providers, who have much less bargaining power than large IT firms, he said.
Pasquale and Ragone recommend that federal regulators make it a priority to enforce IT companies’ HIPAA responsibilities, including taking legal action against violators.
Ragone said legal standards are still evolving to address the wide range of issues posed by the electronic use and storage of health information – including such simple acts as a doctor emailing a patient.
Even with federal authorities making it clear that IT companies have legal liability, some firms continue to resist this liability. Ragone expressed hope that their paper – when read in the light of recent federal regulations – will convince companies to take their HIPAA responsibilities more seriously.
“They’re on the hook,” Ragone said. “It’s possible they’re going to (make changes) just because of the clear legal liability.”
However, if the federal government doesn’t follow up on its regulations by taking enforcement action, that may not happen.
Ragone added that these issues won’t be going away, as healthcare advocates and researchers tout the potential benefits of using large sets of data to improve healthcare delivery. Some lawmakers recently supported a proposal – rejected by Gov. Chris Christie’s administration – to create a database that would have included all health claims by all payers in the state.
“There’s so much being done with data that’s amassed” that maintaining patient privacy will remain a primary concern, Ragone said.