Solo doctors, small group practices and specialists find health IT outsourcing -- typical choices being a cloud EHR with integrated practice management and billing systems -- an option at least worth considering, whether they sign up or not. Outsourcing health IT isn't so easy, however, for larger healthcare providers from medium-sized hospitals and up, which hang on to traditional IT models for many reasons, including reticence to trust third parties with HIPAA compliance.
Yet, slowly, larger providers are coming around to the notion of outsourcing pieces of their health IT operations to the cloud, keeping their clinical data on site but finding value in outsourcing other related services such as data security and managing employee EHR access.
Resource-strapped small medical practices willingly embrace the tradeoff of trusting a third party with their clinical data for the convenience of outsourced IT infrastructure and software upgrade support. In fact, business is booming: Numerous vendor-hosted EHRs live in the cloud, perhaps the most well-known being athenahealth Inc. and its nearly 50,000 customers, many of whom also outsource practice management and billing services.
Bigger organizations with larger IT departments, however, can afford time and costs associated with creating more detailed risk assessments. Such exercises expose the potential downsides of putting clinical data in a cloud environment that a provider doesn't own. Furthermore, big healthcare providers need IT service-firm partners big enough to have their own legal departments. Once an outsourcing firm's lawyers see what liabilities HIPAA-mandated business associate agreements (BAAs) entail, they may balk.
One way to get around BAAs is to provide IT infrastructure pieces that constitute a conduit to transport data without accessing or storing HIPAA-protected patient data. This facet of infrastructure can enable typical communications to rural outposts of a health system as well as backup and business continuity failovers in case of disasters, both of which are required in meaningful use and HIPAA rules.
Jim Wilsonaccount executive, Dell Healthcare Services
Healthcare is following the path the financial industry did several years ago, embracing the cloud a little at a time, said Ken Smith, executive VP of sales at Integra Telecom Inc., a Portland, Ore.-based IT outsourcing firm. His company provides infrastructure to 15 of the 51 largest U.S. healthcare providers as measured by telecom spend, mostly in Western U.S. states. Most won't trust clinical data to third-party cloud providers.
"It used to be that large banking institutions wouldn't let one piece of data escape their walls," Smith said. "Over time [outsourcing firms] started picking up some redundancy, but even then it was a marginalized amount of data that was put forth. Over time, it grew, it became more core data allowed outside of those walls."
"The ones who have very deep pockets are holding onto data within their four walls because there are no capital constraints to build out," Smith added. "The ones that don't, or have more progressive-thinking IT leadership or even on the board, are willing to explore additional options. I believe that's what we'll continue to see in healthcare."
Some IT service providers are working around HIPAA business associate agreements, finding ways to work on the periphery of clinical data and support healthcare providers without taking on liability for data breaches. Others, like Dell Inc. Healthcare Services, are full partners in HIPAA compliance and embrace the regulatory burdens that come with it.
Jim Wilson, Dell account executive, characterizes it as "a challenge" to convince some providers to overcome fears of outsourcing clinical data to third-party clouds, even when the service provider is willing to work out HIPAA business associate agreements. The tipping point usually relates to data needs, especially for radiology and cardiology imaging, which are expanding as new technologies create bigger, more complicated stills and longer video studies.
At some point for many providers, Wilson said, running its own data center becomes a cost too great for the enterprise to bear. The cloud can be cheaper and in many cases more secure, even if it feels less secure to trust a cloud provider. Another issue to overcome: It can feel as if the hospital IT staff is outsourcing their own jobs to a third-party company. But the reality is, in many cases, the workload is growing beyond what an IT staff can bear. Outsourcing relieves the overflow and doesn't necessarily replace the jobs.
"People have some fears they have to get over," Wilson said. "At some point they have to decide: Is the decision [to reject the cloud] logical, or more emotional?"
In this series of articles, SearchHealthIT explores what medium and large healthcare systems are entrusting to third-party cloud service providers with five very different IT outsourcing vendors -- including one based in Pune, India. Healthcare providers are working with them despite the fact they might not handle clinical data.