General Surgery Coding Alert

Question: Can we access our patients' PHI through cloud storage available from our billing company?

Codify Subscriber

Answer: Yes, you can access patients' electronic protected health information (ePHI) through cloud storage, but you should be aware of the security breach risks.

A new report from the HHS-OCR maintains that file-sharing collaboration has its drawbacks.

Last October, the HHS-OCR offered provider guidance, focusing on the privacy and security concerns that arise when ePHI is shared through the cloud. In spite of the advice, which spoke to both the HIPAA Privacy and Security Rules pertaining to disclosures, Business Associate Agreements (BAAs), Service Level Agreements (SLAs), encryption and system requirements, a recent survey of a myriad of organizations across business spectrums suggested that many had already experienced breaches due to issues with the cloud computing technologies, suggested the latest edition of the HHS-OCR Cybersecurity Newsletter.

The June issue showed that the biggest problems arose from temporary staff, "contractors, or third parties accessing data they should not see; employees accidentally exposing data; and broken security management processes." Interestingly, "only 28 percent of respondents listed external hackers as one of their top three concerns," the survey indicated.

Poorly configured file-sharing systems "as well as cloud computing services, are common issues that can result in the disclosure of sensitive data, including ePHI," the Cybersecurity Newsletter noted. "Too often, access, authentication, encryption, and other security controls are either disabled or left with default settings, which can lead to unauthorized access to or disclosure of that data."

Resource: To read the June 2017 HHS-OCR Cybersecurity Newsletter, visit https://www.hhs.gov/sites/default/files/june-2017-ocr-cyber-newsletter.pdf.