Basics of cloud computing

Off-site data storage could provide easier access to files and better protection against data loss

By Legal and Regulatory Affairs staff

October 14, 2011—With the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act and the Patient Protection and Affordable Care Act (ACA), both of which encourage or promote the increased use of electronic health records (EHR) (PDF, 160KB) [this protected content is available to Practice Assessment payers], comes the use of “cloud” storage and computing. While having your “head in the clouds” usually means that you are daydreaming, this type of cloud storage is not a dream and has the potential to be a valuable tool for psychologists who are moving to, or already keep, electronic patient records.

What is cloud computing?

Cloud is a method of saving data in an off-site storage system that is maintained by a third party. Instead of saving information to a computer hard drive, a flash drive, or some other device, the information is saved to a remote database. Connections to this database are made through the Internet.

How does it work?

When utilizing a cloud storage system, copies of files are sent over the Internet to the data server where the information is recorded and saved. To retrieve the information, the server is accessed through a web-based site.

This site allows access to and manipulation of patient files on the server, or can be used to send files back to the psychologist’s computer. An advantage of storing data on a cloud storage system is that the data can be accessed from any location with Internet access, or from a mobile device such as a cell phone or iPad. This could be convenient for and offer more flexibility to psychologists who practice in rural areas or from multiple locations.

Additionally, cloud storage spares the expense of purchasing servers for electronic storage or maintaining a large IT system on site. It also reduces the risk that your files will be lost or stolen if your office is hit by a fire, flood or burglary because your records are not located in your office where they are vulnerable to these risks.

Privacy and security

The main concerns about cloud storage for psychologists are privacy and security. Practitioners may not feel comfortable entrusting their data to an outside company or may be concerned about ease of access to patient files and improper access by others. In order to secure data, most cloud storage companies utilize security techniques such as encryption and authentication.

  • Encryption uses an algorithm to encode the information sent to the cloud. When this information is transmitted to the cloud storage site, it displays as a series of symbols. In order to decode these files, an encryption key (similar to a password) is needed to unlock the data. If the data is kept at government data encryption standards, it is extremely difficult to crack encrypted information without the key. Additionally, if data is encrypted, there is no duty under the Breach Notification rule to notify clients if a breach occurs; the theory is that someone improperly accessing the patient records will not be able to “crack the code” and actually read the records. 

  • Authentication processes require the psychologist to create a user name and password in order to access the cloud storage site and the files that have been saved within.

It is very important to do some homework regarding prospective cloud services. Start by verifying that it is an established company instead of a fly-by-night operation. Using a search engine such as Google should reveal information on how long the company has been in business and whether it has gotten good reviews or complaints.

You should also check the company’s website for statements that it is HIPAA compliant and that it has strong security measures for protecting sensitive information. Generally, expect that reputable cloud storage companies offering to protect sensitive financial, government or health data will have strict security measures in place to limit the possibility of data theft, in order to protect their reputation and shield them from liability.

By contrast, there are several services that provide access to online photos, music and documents that are not likely to have the level of encryption or security necessary for storing confidential, sensitive information.

At a recent workshop, The American Psychological Association Insurance Trust (The Trust) recommended some sites that may be appropriate for cloud storage services:

APA continues to look into this issue and will provide updates as more information becomes available.

Please note: Legal issues are complex and require expertise that cannot be provided by any single article. This article does not provide legal or technical advice and does not endorse any product mentioned in the article. The information in this article should not be used as a substitute for obtaining personal legal and technical advice and consultation prior to making decisions regarding individual circumstances