For many health care providers, electronic health record (EHR) systems represent the first foray into cloud computing. Other providers are experimenting with different ways to port patient data into the cloud, however. One example is Bay Cove Human Services, a publicly funded Boston-based behavioral health agency that recently supplemented its traditional Microsoft Office with a HIPAA-compliant implementation of the online word processing program Google Docs.
Bay Cove needed to do something about managing word processing documents. These play a vital role in patient care, CIO Hilary Croach noted. Since EHR applications and case-management systems -- EHRs' behavioral health-specific cousin -- cannot handle all the complicated documentation that behavioral health clients need, supplemental word processing documents go into case files.
While Croach said Google Docs and Calendar offer unique features such as online sharing and collaboration, they lack the security features that HIPAA requires, such as audit trails that logs who's viewed a document. (For that matter, Microsoft Office also lacks these security features.)
In discussing the issue with his C-suite peers and the organization's board of directors, Croach was forced to address the age-old CIO problem of having to justify investment in security software to non-technical C-suite peers.
There are a lot of ways somebody who had bad intentions can breach the security now, and I don't have really good ways to monitor and audit everything that happens to Word documents across my network.
Hilary Croach, CIO, Bay Cove Human Services
"People don't really understand IT security," he said. "There are a lot of ways somebody who had bad intentions can breach the security now, and I don't have really good ways to monitor and audit everything that happens to Word documents across my network.'"
The answer was CloudLock for Google Apps, a software-as-a-service (SaaS) application that tracks and secures Google Docs and Calendar across an entire enterprise. It lets CIOs survey and locate documents, as well as control with whom employees can share. (A version of CloudLock for Office 365 -- the online word processing, spreadsheet, document sharing and unified communications offering from Microsoft -- is expected later this year.)
Security tools improve online word processing programs' compliance
CloudLock Inc. CEO Gil Zimmermann said that, while his company has customers in several industries, health care providers have shown interest in Vault specifically for tracking and controlling HIPAA compliance.
Though some of Croach's peers are saying "not in a million years" to moving patient data into the cloud, he thinks cloud adoption is inevitable. CIOs will not be able to prevent employees from using online word processing applications such as Google Docs in an ad-hoc manner, he said, so they may as well add security and codify in-house policies to protect the organization from health care data breaches now.
It didn't hurt that CloudLock and Google Docs fit the budget of the cash-strapped nonprofit -- Bay Cove isn't getting the same support from the U.S. Department of Health & Human Services that hospitals and physicians are getting through the EHR Incentive Programs.
While the meaningful use incentives don't focus on behavioral health, the penalties do, Croach said, referring to increased data breach penalties and broader enforcement of the HIPAA Privacy Rule, such as a provision that gives state attorneys general the power to prosecute violations.
When it comes to cloud adoption, then, Croach and others suggest that usability and clinical workflow, not meaningful use, are the primary catalysts for cloud EHR adoption. Part 3 of our series -- coming tomorrow -- explores this issue further.
Let us know what you think about the story; email Don Fluckinger, Features Writer.