The pros and cons of hosting healthcare data with a third party.
By George Pantos
Since passage of the Affordable Care Act, public sector organizations have encountered various technological barriers that will impact their ability to meet the act’s deadlines. Federal, state, and local officials are working to overcome these hurdles by transitioning current legacy systems to more efficient cloud-based platforms for delivering health benefits.
Extensive regulatory demands for increased transparency, connectivity, and security are challenging public sector organizations to move from unconnected IT systems into a new cloud-based environment that allows processes to be integrated seamlessly at all levels of health service delivery.
In cloud computing models, third parties host applications, data storage, and access to computing power via the web. This provides economies of scale and offers cost advantages over other computing models that otherwise require users to host servers on-premise or hire in-house technical support.
“From the state perspective, health reform is best described as overwhelming in its size and breadth,” said Alice Burton of Maryland-based Burton Policy Consulting, which helps state-level public and private sector clients navigate health reform implementation. “I think the biggest challenge is integrating health insurance exchanges into a competitive marketplace.”
To cope with these impending challenges, all level of governments can leverage cloud-based applications in a modern computing environment in which data is rapidly collected and dispersed with marginal management effort or service provider interaction. It’s a way to address new regulatory and market trends, and can help organizations reduce their healthcare costs while improving outcomes.
Gene Walker, president of Healthcare Interactive Federal, a provider of cloud-based healthcare solutions to the public sector, explains that federal agencies must simplify their processes for handling data if they want to effectively implement reform. One of the biggest challenges is how to transfer existing systems and applications to a more robust infrastructure.
“A number of those agencies have systems and software that have been in place for a long time. These systems have been cobbled together to meet legislative changes and business drivers that go back 30 to 40 years,” Walker says. “Changing or implementing new services within a legacy environment is problematic at best, and legislative timelines make implementation of these new services almost impossible without a serious approach to meeting those business drivers.”
Cloud-based healthcare management systems can have a positive effect on lowering healthcare costs while providing a timely solution to the issue.
The cloud combines management of knowledge, activities, and resource allocation and makes these business processes more efficient. “Workflows that are designed to leverage cloud services do not have the limitations of traditional client/server applications or mainframes,” Walker notes. “Cloud computing enables collaboration not only between doctors and patients, but also among those who manage health plans. If public-sector officials can capitalize on the promise of cloud-based technology, they’ll be able to reduce costs and improve the health of their workforces.”
Liddy Garcia-Bunuel, executive director of Healthy Howard, a community health plan for the uninsured in Howard County, Maryland, believes cloud computing will help state and local officials set up health reform’s new insurance exchanges.
The Healthy Howard program, which provides doctor and emergency room visits, low-cost prescriptions and personal health coaching, uses cloud technology to manage its county-wide initiative. From online eligibility and enrollment to managing patient risk and gaining access to primary care providers, Healthy Howard has created a plan that allows for a seamless flow of information through the cloud.
“Given today’s challenging fiscal environment, states can’t afford any hiccups as they set up their exchanges,” notes Garcia-Bunuel. “In Howard County, we’ve used cloud technology to deliver benefits more efficiently and to support robust wellness initiatives that both save money and improve beneficiaries’ health. Officials elsewhere should consider what they can learn from our experience.”
“Going forward, there’ll be implementations via cloud services and point-to-point cloud services that will facilitate security challenges,” Walker says. “It won’t be impossible, but it will certainly be a challenge to get everyone to agree on the same set of principles and standards as it relates to security and data interchange. We believe that our customers understand their business objectives and are looking for solutions and strategies that will help them achieve those objectives. The result will be a migration strategy that’s able to leverage the existing data and more selectively move some of those complex business processes to the cloud.”
The end goal is to move existing systems and applications to hosting environments that are flexible and agile, which will have an overall positive impact on business operations.
Data Security in the Cloud
By Brent Skinner
Using cloud technology to deliver employees their healthcare benefits is a streamlined way to carry out a potentially tedious administrative aspect of workforce management. That’s the attraction. Despite cloud technology providers’ robust efforts to secure that data, turning to the cloud for health benefits administration puts employees’ personal information at risk.
“There is inherent risk in the storage or transfer of data, whether it’s cloud-based or in a file cabinet,” says Robert Siciliano, McAfee consultant and identity theft expert. “As long as HIPAA [Health Information Portability and Accountability Act] guidelines are followed and compliance is in order, in a perfect world the data will be secure. It is in these situations, however, that the end user’s (i.e. the employee’s) activities are least secure, especially if he or she is accessing the cloud from a home PC.”
First signed into law in 1996, HIPAA is a kaleidoscope of regulations, exacting a collective influence on the activities of any entity that handles health information. At the time, health-related information was already well on its way to becoming primarily computer-housed, an evolution that has since run most of its course. Today, the next transition is upon us, with movement among employers everywhere to move technology-driven human capital functions to the cloud, with all associated data in tow.
In its 2010–2011 human resource technology report, CedarCrestone forecast that the deployment of cloud-enabled Software-as-a-Service (SaaS) across a wide spectrum of human capital management would increase by 50 percent. The annual follow-up report, CedarCrestone 2011–2012 HR Systems Survey: HR Technologies, Deployment Approaches, Value, and Metrics, 14th Annual Edition, confirms that the forecast was accurate, and it predicts another jump in adoption to take place through 2012.
“All parties involved share the risk of data privacy,” says Attorney Jim Kunick, principal at the Chicago, Ill.–based business law firm Much Shelist, where he is chair of the firm’s intellectual property and technology group. “If a company outsources its human resources or its health benefits administration to a cloud provider and that cloud provider has a problem, ultimately the buck stops at the employer. That’s the first entity that gets sued by an individual whose personal health information gets disclosed.”
In 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH) added yet more governing regulations, many of which strive to address “the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules,” according to the U.S. Department of Health and Human Services’ website.
Whether residing in the cloud or on-premise, a collection of data, especially of health records, is a draw for thieves. It is the responsibility of any entity that enters into a cloud computing–related contract to acknowledge the circumstances and the regulations that could apply to any one of the parties bound by that agreement.
“There are several key things that an organization can do to minimize its risk when entering into a relationship with a cloud provider,” says Kunick. “Do the due diligence. Find out more about the cloud provider. For instance, to whom does the provider subcontract its services? Is the data stored in multiple locations, and if so, who is it that the provider employs to handle the data and run the applications? Data may not even be stored in this country. Have someone within the legal counsel office do a litigation search to determine whether or not the provider has been involved in litigation previously, and if so, what kind. And get a good contract in place with the cloud service provider. Get the appropriate terms around data privacy and data security in place. In that contract, as well, obtain sufficient insurance terms, a good way for the employing organization to protect itself. If there’s a breach, that triggers all kinds of things, depending on the state.”
Organizations interested in learning more about how to protect employees’ private data as they enter the cloud can visit the Cloud Security Alliance (https://cloudsecurityalliance.org).