Reconciliation of the cloud computing model with US federal electronic health record regulations

From Clinfowiki
Jump to: navigation, search


A publication in 2012 issue of the Journal of the American Medical Informatics Association (JAMIA)(2012), Eugene Schweitzer examined the challenges faced by developers of cloud based electronic health records (EHR) related to compliance with federal regulations.[1] Of specific relevance to EHR development are the regulations pertaining to security and privacy. Schweitzer identifies several advantages offered by cloud computing architecture and maintains that this model can achieve a required level of regulatory compliance through business associate agreements with cloud service providers if these agreements specify compliance requirements and terms for the sharing of liability.

Cloud Computing

Cloud computing is an information technology (IT) architecture that provides resources as a service to a subscribing customer through an internet connection. Resources could include networks, storage, applications or telecommunications systems. The National Institute of Standards and Technology (NIST) presents the following five essential characteristics of cloud computing:

  • 1) On-Demand self service. Customers access the resources immediately and without human intervention or response.
  • 2) Broad Network Access. Resources are delivered in formats that enable access by a variety of devices (e.g. desktop, mobile device)
  • 3) Resource Pooling. The cloud provider pools and dynamically allocates resources to meet the fluctuating demands of customers.
  • 4) Rapid elasticity. Resources such as network bandwidth, processor capacity and memory are rapidly scaled in response to customer demand such that the customer is presented with the appearance of unlimited resources.
  • 5) Measured Service. The cloud provider monitors and reports the customer's use of services

Because the expense of EHR implementation remains a significant barrier to adoption by many providers, and this expense is largely tied to infrastructure, cloud computing has emerged as an architecture to providers seeking an alternative to on premise infrastructure. NIST supports further promotion of cloud computing due to its potential for significant cost savings and IT agility. One type of cloud service, Platform as a Service, or PAAS, has great potential for EHR proliferation. PAAS would not only provide the EHR software in a cloud based environment, it would also provide the customer with tools and access to the base product to allow user customization and additional development. This provision for local customization is of particular interest of EHR customers who have, to date, expressed reluctance to depend on a product over which they have little or no developmental control.

Federal Security and Privacy Regulation

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) called for regulatory safeguards for electronic protected health information (ePHI). In essence, HIPAA established provisions for improving healthcare through efficient health data exchange, and reducing costs, as well as providing patients with enhanced rights over their medical record information including; having access to their own records, controlling access to their records. In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) act added clarity and strength to the privacy and security rules with definitions for responsible parties, expectations and penalties.

Security Measures, Concerns and Solutions

In addition to the standard set of over 40 HIPAA security stipulations, cloud computing faces some particular challenges. Of particular concern to a cloud-based EHR service is multi-tenancy characteristic of the shared resource model. Drilling down further, one finds a challenge regarding the dynamic scaling of pooled data storage resources. The mechanism(s) for data isolation are of critical importance. On possible solution would be a "cloud community" that would dedicate sets of shared resources to EHR only, thus allowing the vendor to focus on the applicable challenged of isolation, encryption in a shared environment, and others. Schweitzer asserts that the requirement for all third parties accessing ePHI enter into a Business Associate Contract is of critical importance with the cloud provider. Considering the central role of the cloud provider in the maintenance of the EHR, Schweitzer suggests that the contract also contain specific obligations for maintaining and monitoring security metrics including periodic audits. He also recommends specific assignment of liability for breaches. As this may be a contentious item in contract negotiations, Schweitzer reminds the reader that the HITECH act specified the business associate as carrying the same responsibility and liability for breach-related penalties as a provider.


While concerns remain about the value and sufficiency of cloud based computing for EHR, Schweitzer believes that these concerns are on the decline. In addition to technical strategies evolving to address concerns like customer configuration, legal strategies are also needed to address the challenges of regulatory compliance. Schweitzer maintains that specific inclusions in a business associate agreement will be critical to providers for whom adoption of a cloud based EHR is an effective way to overcome the cost barrier of EHR adoption.


According to Rodrigues et al (2013), Cloud service providers can protect privacy and security of patient information through the following steps:

  • By setting a Role-based access,
  • Through monitoring network security, specially during exchange of information with an outside net work party,
  • Using data inscription, digital signature and auditing system logs.

Besides that, Cloud service providers must be compliant with various certifications such as: SAS70 Type II, PCI DSS Level 1, ISO 27001, and the US Federal Information Security Management Act (FISMA). [1]


  1. Schweitzer, E. J. (2012). Reconciliation of the cloud computing model with US federal electronic health record regulations. Journal of the American Medical Informatics Association, 19(2), 161-165.