When I first started practicing, I didn’t even want to put records on my computer. I knew too much about how difficult it is to keep a computer safe. Now I find myself frequently recommending to my risk analysis consulting clients that they take e-records even one step further and put everything – absolutely everything they can – on “the cloud.” Here is why.
Think about how you keep electronic records. Many people who keep them on their computers have confidential information on laptops and also have backups on other devices, such as thumb drives and external hard drives. In my consulting practice, the majority of my consultees state that these backups are difficult to keep up-to-date. Some colleagues I’ve met don’t keep backups at all.
The main purpose of risk analysis is to find out where security risks lie in our practices, so I have many opportunities to see how clinicians protect their computers. Most people know to use passwords and keep antivirus software running. But rarely are people familiar with disk encryption, firewalls, and why the antivirus is so important to protecting one’s data. What’s more, often clinicians don’t have policies in place for how to protect computers from loss or theft. That is not surprising – protecting a computer can often require more vigilance than the average therapist is really interested in investing in such a mundane object. Most of us would rather invest that energy in clients, family, friends and self.
What HIPAA Says About E-Records
The HIPAA Security Rule doesn’t specifically get into how you should store records, what software you should use, etc. It just wants you to protect the confidentiality, integrity, and availability of the information you keep. The confidentiality part of that triad is one we all understand well. The other two are less well known.
Integrity is the principle that your protected health information is kept intact and not modified after the fact. Our professions address this in that we do not change records once they are signed (either really or virtually.) We only amend them as needed. Availability is the principle that information is available to authorized persons when it needs to be. Our professions address this in that licensing boards and/or state laws define a period of time for which records must be kept after clients terminate therapy. HIPAA addresses both principles more depthfully than our ethics and laws generally do.
HIPAA defines some standards, called “implementation specifications,” that provide guidance for how to do this with electronic information. Those specifications include, but aren’t limited to (US Dept. of Health and Human Services, 2006):
- Keep Backups: We must keep “retrievable exact copies” of our electronic data. If a piece of data is unavailable because the original is lost and backups aren’t up to date, we have a breach of availability.
- Protect Workstations and Storage Devices: We must “implement policies and procedures” to keep bad guys (aka “unauthorized individuals”) away from devices that store and otherwise manage confidential information.
- Track Access: We need to be able to keep track of who accesses what information and when. We can kind of do that with everyday PCs and Macs, but most of us don’t have the software knowledge to be able to find out who edited which Word files when. If you use record-keeping software on your computer, the software may provide this functionality, however.
One more important aspect of HIPAA is the Final Breach Notification Rule. That Rule defines what HIPAA covered entities (that’s most of us) must do if we have a breach of the confidentiality, integrity, or availability of protected health information. The Rule is more flexible than most licensing boards are when it comes to confidentiality breaches. For more information on the details of how it works, see our article on HIPAA and security breaches.
The aspect of the Breach Notification Rule that is most important for this discussion is this: when you have a breach, HIPAA asks you to do your best to determine whether or not any protected health information was actually accessed or retained by bad actors. So play the tape forward and imagine:
- If you keep records on your computer: If the computer is lost, how do you determine if information contained on it has been accessed?
- If you keep records on the cloud: If a device of yours is lost, you can go to your service provider and find out if anyone has accessed your account and get a general idea of where they accessed it from.
In other words, if all of your protected health information is kept on the cloud and none of it is on the stolen device, then you have the ability to determine with a high degree of certainty if your information is ever accessed by bad actors who have gotten ahold of your device. This is difficult to do if the information is kept on the device itself.
Famed security researcher Bruce Schneier discusses in his paper, The Psychology of Security, how the cognitive psychology concept of control bias can adversely impact the way we evaluate security risks. Control bias, as Schneier interprets it through his security professional’s lens, is a tendency to emotionally downplay risks when we feel like we are in control of a situation. You can see control bias at work on the road – people may drive dangerously because they feel in control and decide that warnings about dangerous driving behaviors do not apply to them. Similarly, we feel like information that is in our direct control – such as on our own equipment – is safer than information being kept by a far-away party on the Internet.
Your own concern about keeping records on the Internet (assuming you have any) may or may not be the result of control bias. However, it is important to keep such biases in mind for the same reasons that we need to monitor countertransference in our therapy work.
We discuss control bias and other psychological heuristics that affect our assessment of confidentiality risks in Level II of our live CE webinar on digital confidentiality.
Are Cloud-Based Records Safe?
That question depends on the company providing the service and on general circumstances. Generally speaking, cloud-based record companies keep their data in data centers where security is a very high concern. These companies are also your HIPAA Business Associates, and by taking on that relationship they accept a high degree of potential legal liability in the case that a security breach occurs within their network. These data centers are generally also set up to create backups of data quickly and with a good degree of reliability. In other words, the tasks of securing data and keeping it backed up are performed by well-resourced experts.
An important concept in SecurityLand (as I like to call it) is that of Trust. Any company can make errors or be negligent. Some companies are highly negligent while others are quite trustworthy. Thus companies that are serious about providing secure services work to foster the trust of the community. For example, Microsoft has recovered quite a lot of trust in the techie community during the last ten or so years. In the late 90s, they were less trusted. Now, they are well trusted. Google has long been well trusted, and has recently displayed behavior and enacted policies that have further improved that trust. Yahoo is not well trusted and hasn’t done much to improve on that. Etc.
In order to be able trust your online cloud-based record provider, you must at the very least get a Business Associate Agreement with them. This is also a requirement for your HIPAA compliance. Be aware that getting a Business Associate Agreement alone is not a guarantee that a company is trustworthy, but it is a minimum thing that you must have from them, according to HIPAA. For more information, see our article, What is a HIPAA Business Associate Agreement?
We regularly review the trustworthiness of many different companies and products through our HIPAApropriateness Reviews. The full reviews are only visible to our paid members of Person-Centered Tech Support. But anyone can view the review summaries and get the basic gist of our impressions of each company’s trustworthiness. Browse our HIPAApropriateness Reviews here.
Another great resource for researching this subject is Rob Reinhardt’s review series on cloud-based practice management systems, which includes various electronic health record (EHR) and electronic medical record (EMR) services:
What Do I Need To Do To Keep Them Safe?
Good question. I’m glad you asked!
When my risk analysis consulting clients find themselves leaning towards keeping records on the cloud, I advise them to put everything they can on the cloud and keep it off of their devices’ hard drives, wherever possible. There are some things, such as text messages on phones, that make this aspirational goal impossible to fully achieve. We try to come as close as we can, however. This way, the devices become lower sources of risk. With basic device security in place, the clinician can usually reduce the amount of work they do in keeping their clients’ data secure.
To help you secure your devices, we offer a 1-hour CE course on the easiest-yet-most-effective ways to secure your gear to HIPAA standards. The course includes free walkthrough videos that show you how to implement the advice given in the course. See the course description here.
The HIPAA Security Rule requires that covered entities create a policies and procedures manual that describes how they maintain security in their practices. You would want to create policies that describe how you keep your devices and data secure. Besides compliance, however, I find that policies help clinicians know where the boundaries between secure and non-secure behaviors lie, and help them feel more confident about what they are doing with their devices.
The 2014 ACA Code of Ethics also introduced a requirement that Counselors who keep electronic records provide disclosure to their clients about how those records are kept and how they are secured. (American Counseling Association, 2014) This disclosure is required whether the Counselor uses the cloud or not – any use of electronic records needs to be disclosed. For non-Counselors, this is likely to become standard of care in the near future.
Our free newsletter subscribers have access to our Sample Electronic Records Disclosure Policy, which helps you write a disclosure form that matches your electronic record-keeping system. You can get it by subscribing to our newsletter here.
- American Counseling Association. (2014). ACA Code of Ethics. Alexandria, VA: Author.
- Schneier, B. (2008, Jan). The Psychology of Security. Retrieved Sep 2013, from https://www.schneier.com/essay-155.html
- US Dept. of Health and Human Services. (2006). HIPAA Administrative Simplification . Washington, DC: Author.