Legal and Policy Aspects of the Intersection Between Cloud Computing and the U.S. Healthcare Industry

The United States healthcare industry is undergoing a technological revolution.  As paper medical records are converted to electronic medical records, which are then stored via cloud computing, a myriad of legal questions arise.  Foremost among these are concerns regarding patient privacy and the security of stored personal health information.  It is evident that the storage of electronic medical records in computer clouds is a technological development that is here to stay.  The challenge lies in adapting our healthcare system to the digital age in a legally enforceable, efficient, and cost-effective manner while maintaining quality care and privacy rights for patients.

There are two key components to this healthcare overhaul.  First, transitioning as smoothly as possible to the inevitable nationwide e-health system; and second, determining proper responses to situations where the e-health system does not function correctly.  All systems experience complications at some point, and the e-health system, while more efficacious than paper medical records in the long-term, will present new legal and policy-related dilemmas that a community reliant on paper-based medical charts will initially be unprepared to address.  Ideally, hospitals and healthcare companies should develop backup plans in advance of these hurdles and create prophylactic policies that anticipate technical difficulties.  The U.S. healthcare system should act offensively, rather than defensively, to challenges that will arise as we increase our reliance on technology.  These strategies must be as legally sound as possible, in order to best protect patient privacy and to diminish risks for all parties.  Diminishing legal risk will decrease the hesitancy of software companies and data centers to enter the arena of public health, and will therefore drive a competitive marketplace with lower costs for hospitals and insurance companies and, consequently, lower treatment costs for patients.

I.

To begin with, there are a number of technological solutions that can be implemented to improve efficiency of care at the triage stage. One such method would be to adopt an opt-in fingerprinting system, similar to the FBI’s Automated Biometric Identification System (IDENT), where fingerprints of individuals are stored in a law enforcement fingerprinting database.  Forty-three U.S. states currently participate in storing and sharing this information, and results can be produced within 10 seconds or less.[1]  By scanning a patient’s finger, a paramedic could easily access that patient’s medical records, which could then be sent ahead to the hospital.  This tech-forward approach would speed up the data entry process and produce swifter treatment for the patient, as well as for other individuals awaiting treatment.

Another tech-forward measure would be to embed biometric information and past medical history in a microchip in a patient’s insurance card or driver’s license, which could be scanned and downloaded by paramedics onsite.  The availability of medical history and records of past hospital visits would facilitate fast and accurate treatment, especially for a patient who is incoherent, impaired, or lacks the cognitive faculties to self-identify.  It would also cut down on waiting room times, thereby reducing unnecessary costs for insurance companies.

Streamlining the triage process would also prioritize the provision of urgent care, potentially saving lives.  Michelle Idler, a paramedic whom this author consulted, leveraged her professional experiences to suggest a way that drivers’ licenses might be made to prove even more helpful in exigent situations.  As she explained, police departments can scan drivers’ licenses to obtain information regarding warrants or previous tickets identified on the Department of Motor Vehicles(DMV) database.  She proposed that these databases should also include the license-holder’s emergency contact information in the event of an accident or other crisis situation.[2]

Although these cutting-edge technological approaches to increasing the efficiency of the healthcare sector are ostensibly attractive, they raise significant patient privacy concerns.  The general public would likely be uncomfortable with individuals’ medical information being available through their fingertips or drivers’ licenses, and fingerprinted patients may feel like they are being treated like criminals.  Using something akin to law enforcement agencies’ IDENT system would limit the agency of individuals seeking health treatment.  If a fingerprint alone could be used to access a medical chart, issues of consent would surface.  However, the concept of listing an emergency contact in each registered driver’s file associated with the DMV appears to be a pragmatic proposal that can and should be easily implemented.

It is also critical to introduce some form of computerized health records on a nationwide level.  As of 2009, 17% of U.S. physicians and 8–10% of U.S. hospitals maintained basic electronic health systems, in comparison to 80–100% in Europe.  According to the Health Information Technology for Economic and Clinical Health  (HITECH) Act which forms part of the American Recovery and Reinvestment Act of 2009, 70% of primary care physicians must have implemented a “meaningful use” of electronic health records by 2014.  The federal government posits that converting Medicare and Medicaid to an electronic health system will save $33 billion over ten years.[3] A RAND study found that a full implementation of electronic health records would save $77 billion annually.[4]

Although triage fingerprinting and driver’s license microchips are not likely to be introduced as a nationwide requirement, instituting electronic medical records in all U.S. hospitals is a practical next step.  Additionally, health information will increasingly be stored using cloud computing technology.  Admittedly, purchasing this technology is a steep investment: for example, computerized medical chart software can cost a hospital between $5–10 million. However, hospitals will benefit financially from no longer purchasing the mountains of paper necessary to maintain paper charts.[5]  When families of decedents request medical records in the event of a wrongful death suit, rather than printing out documents and changing ink cartridges, the parties can simply exchange digital copies.

Electronic health records are also more secure than paper charts.  Electronic records have the added protections of being password protected, often at multiple levels, and are encrypted and capable of being viewed from various computer monitors, especially if stored in a cloud. They also contain the digital signature of any personnel who have accessed or edited any data.  Cloud companies and healthcare professionals responsible for ensuring the safety of that data should take advantage of all possible security mechanisms, such as encrypting health records, both when they are being accessed by an authorized professional, and while they are in transit.

Fortunately, healthcare law is adapting to more comprehensively protect patient privacy. In 2013, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which addresses protocol regarding patient privacy, was adapted to include the Omnibus Rule, which modifies the extent of compliance mandated with regard to previously non-covered entities in the healthcare sector.[6]The new penalties imposed by the Omnibus Rule will incentivize healthcare companies to use every method available to ensure the safety of the data that is entrusted to them, and consequently to consult technology and risk management experts to protect patient privacy.

Studies have been inconclusive as to whether the widespread coordinated use of electronic health records will reduce duplicate medical tests by consolidating test results in one database, and therefore reduce waste.  According to a 2012 consensus report by the Institute of Medicine, as cited by the American College of Radiology, $210 billion is expended annually on unnecessary medical services; $130 billion is spent on uncoordinated care; and $8 billion is spent on repeat testing.[7]Moreover, between 9–40% of all medical images are duplicate images.[8]

Contrary to general understanding, duplicate testing is often not a product of inefficiency: duplicate x-rays of the same body part are necessary to examine a specific anatomical structure from multiple angles in order to provide the radiologist with the clearest possible understanding of a medical ailment.[9]  Additionally, follow up scans may be ordered, for example, in the case of radioactive iodine treatment, in order to determine if the iodine has been effective in treating thyroid cancer.  In these cases, duplicate testing is warranted.

Studies evaluating waste in regard to duplicate testing, which electronic health records could mitigate, need to be able to differentiate between necessary and unnecessary duplicate testing.  Unnecessary testing can be classified as a test, such as an MRI, which is ordered by a hospital physician, despite the patient having recently undergone the same test for the same ailment.  These unnecessary duplicate tests are ordered due to lack of communication between hospitals and treating physicians, and could be avoided through consultation of the patient’s comprehensive electronic health record.

One way to distinguish between necessary and unnecessary duplicate testing is by examining the time frame in which tests were taken.  If scans of the same limb were taken in quick succession, then it is likely that these slides were warranted, as the patient is changing positions to provide a panorama of the affected area.[10]  Test findings have indicated that the implementation of electronic health records could reduce unnecessary duplicate testing by as much as 25%.[11]  According to a study detailed in the American Journal of Managed Care, when heath information exchange records are consulted prior to ordering an image, testing is repeated at a rate of 5.2%, compared with a rate of 8% when the exchange is not consulted.[12]The implementation of such tracking of tests would also aid government enforcement officials prosecuting actions for fraud by helping to determine when unscrupulous physicians may have prescribed unwarranted treatments for pecuniary reasons.

Electronic health records can also reduce hospital admissions.  As one physician explained when consulted for this article, having access to a patient’s electronic medical history is helpful specifically in the case of a patient with chronic obstructive pulmonary disease (COPD).  Individuals suffering from COPD routinely register abnormally low oxygen levels.  While alarming, this symptom is anticipated, and can be treated by administering oxygen at home.  If an individual is brought to a hospital with a low oxygen rate but is on record as suffering from COPD, the medical staff can rule out other diagnoses, administer an oxygen treatment, and avoid having to admit the patient to the hospital.

One prime factor that health professionals describe as complicating their operations is the lack of communication between parties in the hospital setting.  For example, while one hospital department may rely on a newly-implemented e-health system, another department in that same hospital may still depend on paper records.  Even within one cloud system, nurses may have access to one chart layout, which differs from that visible to the physicians.  An occasional glitch can prevent nurses from viewing medical requests in real-time.  The efficiency of the hospital as a whole is impaired when two disparate systems are in place.  Instead, the board of directors or head of operations at that hospital needs to make an executive decision to implement one specific hospital record system, and then apply the selected system as uniform hospital policy.  The confluence of one standard operating cloud system, with identical medical results viewed by both nurses and physicians, instituted within a hospital will repair communications between medical departments, and will greatly increase the efficiency of patient care overall.

Technology can further improve patient care by facilitating better data sharing between ambulances and hospitals.  Some hospitals have begun to transition to data sharing by enabling EMTs to access information regarding previous emergency room trips made by patients.  This information can equip paramedics with a better understanding of a patient’s history, as well as expedite the process of data input, and allow the EMTs to focus instead on hospital transport and patient care.  However, this technological stride is limited by the scope of the data network; some hospitals only provide this data exchange between their own hospital and their company’s ambulances.  If a patient was picked up by a volunteer ambulance service, or if the patient had recently been treated for a similar health concern at a different hospital, that data would not be available to aid in treating the patient.

It is evident that the law must strike a balance between efficiency and privacy when it comes to the digitization of patient records. Communication channels are broken within the healthcare sector, both in terms of data sharing among emergency personnel and hospital networks, as well as on an interdepartmental level.  This lapse of interchange can be repaired through widespread hospital implementation of electronic health records in one specific cloud system.  However, it is critical that this new e-health movement adhere to the existing standards of HIPAA compliance, and that electronic violations and data breaches of patient confidentiality be subject to similar sanctions as the leakage and improper handling of paper records.

The federal government has attempted to smooth this transition by introducing changes to the HIPAA Privacy and Security Rules with the passage of the HITECH Act of 2009.  The Act expands HIPAA’s regulations and facilitates the enforcement of its policies on newly-involved Digital Age partners in patient information health exchange.  These new partners include business associates and subcontractors, who are brought into the arena to safeguard patients and their protected health information.  The HITECH Act imposes more severe penalties on parties who fail to protect this information, and gives patients the right to request an audit trail of whoever has accessed their electronic medical records.[13]

An interesting legal question that will arise in the near future is which party will be found liable in the case of an information breach, where data is submitted by a hospital network and stored in a cloud computer system, such as that of IBM’s SoftLayer service.  Both parties are responsible for ensuring patient privacy; a cloud server is recognized as being legally accountable to HIPAA regulations for ensuring the physical infrastructure of the cloud, while the healthcare provider who submits the protected health information is legally responsible for the workload.[14]  However, those confidentiality duties in accordance with HIPAA regulations will undoubtedly blur.

One factor in this hazy web of accountability will be whether the protected health information was encrypted.  It would be highly advisable for technology companies to encrypt personal health information.  In addition to injecting one more level of data protection, encrypting identifying health information ensures an extra layer of liability protection in the event of an information leak.  If software personnel are merely responsible for ensuring the safe storage of that data, and cannot read the stored material, the technology company will face less legal probing as to their possible misuse of data.  In addition, patients can rest assured that their data is being shared on as much of a “need to know” basis as possible.

One state initiative to institute electronic health record technology is the Rochester Regional Health Information Organization (RHIO).  The non-profit, funded by a $4.4 million state grant and $1.9 million from hospitals and local businesses, aims to coordinate an exchange of medical records between thirteen participating counties in New York State.  Rochester RHIO, which comprises 70 participating healthcare providers, is only one of nine health information exchanges in New York State alone.  There are 300 health information exchanges on a national level.[15]

Developing interconnected communication among these 300 networks is crucial.  It is a step in the right direction for counties to centralize records for local residents, but this consolidation of medical information becomes meaningless if a resident decides to relocate.  If a patient’s medical records cannot be transferred to a new health information exchange facilitated by a disparate healthcare provider in a new city, the patient will essentially become a medical tabula rasa.

Further inefficiencies arise in the organ donation context. It is critical for nephrologists to be aware of a donor’s medical history, as the donor’s past may influence the recipient’s future.  As of now, not all medical charts for organ donors are electronic, and those that are post donation only include the information of the recipients.  This issue is further complicated by the fact that most organ donors are deceased; their emergency medical files are consequently deactivated.  Linking medical files is not an efficacious secure method for the long-term.[16]  Beyond instituting a health information exchange that will benefit all Americans, it is crucial that at least the organ donation demographic can find a dependable and efficient manner in which to share its medical histories.

Here too the federal government has stepped in to provide support. In an effort to spearhead interoperability between various healthcare providers, in 2012 the U.S. Department of Health and Human Services launched a nationwide health information exchange called Healtheway, which was subsequently rebranded as the Sequoia Project.[17]  It is likely that as the federal government partners with stakeholders in the private sector, Project Sequoia’s target audience will be patients registered for Medicare and Medicaid insurance plans.  After stakeholders are satisfied that the national health information exchange network has been a financial success, the health partners will broaden their client base to include patients covered by private insurance, and provide financial incentives for new participants to join the national health information exchange.

II. 

There are two main obstacles to e-health reliability that need to be addressed by the legal community: susceptibility to hacking, and power outages.  The former is unfortunately unavoidable: there will always be data breaches, whether through unauthorized access to one’s electronic chart or via a snoopy nurse with paper records.  The goal, then, is to eliminate data breaches as much as is technologically possible.

Cloud computing, if properly utilized, can significantly aid this endeavor.  When a hospital permits employees to access the cloud through their personal electronic devices, certain basic safety precautions must be imposed through hospital policy to protect patient data.  For example, if physicians routinely access medical charts on their smart phones, the hospital should require that smart phones be password protected.  When communicating regarding patient information, healthcare providers should reference patient identification numbers, rather than patient names or social security numbers.  Whenever possible, personnel should avoid mentioning sensitive information in writing or on an unsecure line.

Since 2009, HIPAA has confirmed that 21 million health records have been breached.  More than 66% of mass HIPAA breaches are due to the theft or loss of electronic devices that store unencrypted health data.  Seventy-three percent of those whose data is stored on those devices are affected.  The implementation of cloud computing in medical facilitates will significantly lower those figures.  In contrast, hacking is only responsible for 8% of data breaches, with 6% of individuals affected.[18] While none of us envy the affected 6%, the risk of information compromise is significantly diminished when encrypted cloud computing software is used.

In addition to strengthening penalties that can be imposed for breaches of patients’ personal health information, HIPAA has imposed certification costs that only large cloud computing companies can afford, but which are not fiscally sustainable for privacy data centers.[19]  The hefty cost of HIPAA certification and tight penalties for data breaches constitute a de facto attempt to ensure that only large companies that will staunchly safeguard personal health information and perform their due diligence can afford to enter the e-health and cloud computing playing field.

Precautionary plans are also essential for dealing with the possibility of a power outage, which could render electronic medical record databases inaccessible.  Unfortunately, many medical facilities have not developed detailed preventative plans.  Foremost, hospitals should be required to have generators.  Those facilities which are aware that they do not have sufficient infrastructure and which are geographically vulnerable to an anticipated natural disaster should preemptively evacuate their facilities and transfer their patients to a hospital which is better equipped to handle a crisis, or is in a more remote location from the affected area.

Even the same natural disaster may not affect every hospital equally, as the experiences of several New York City hospitals during Hurricane Sandy illustrate.  NYU Langone Medical Center evacuated newborns by flashlight when their generators failed.[20]  One health professional at another hospital affected by Hurricane Sandy described that time at the hospital as “hell on wheels.”[21] Other doctors recorded their notes by hand, and waited by the rooms of the patients until they could pass off their notes to another individual.  At a different hospital, a health professional recalls being inundated with charts that needed to be uploaded to the server to document each patient, but reports that otherwise patient transport and triage ran smoothly.[22]

To avoid patient data confusion or medication mishaps when electronically‑ stored patient data is inaccessible, HIPAA should require all U.S. hospitals to store a paper copy of basic patient data.  This information, which should be stored in a convenient and easily-accessible location, such as the nurses’ station in each hospital unit, should include the patient’s: name, age, and date of birth; emergency contact information; blood type; allergies; fall risk; erratic behavior; irregular signs or conditions of which to be cognizant; any medications the patient has been prescribed; current and previous diagnoses; the patient’s wishes regarding a living will; and the patient’s organ donation status.  While by no means a complete medical history, a one-page chart printout for each patient containing this basic and critical information can prove invaluable during a power outage.

It is evident that electronic medical records and health information exchanges on state and local levels will integrate into part of the federal healthcare system, and will affect the daily lives of U.S. citizens.  Even if a successful transition can be achieved, however, it is integral to consider alternative approaches for when the electronic systems malfunction.

The author would like to dedicate this article to the unparalleled Lee Medows and D.B. Medows.  Special thanks to Dr. Richard Goldfarb, Dr. Ann Glassman and Michelle Idler for their informative interviews, and for their work saving lives every day.