Is cloud computing right for your practice?

This article discusses cloud computing, including privacy and security issues, to help determine if this option is right for you.

Many psychologists still store records in paper form or on their personal computers. However, as the movement toward using electronic systems for practice management and patient record keeping has gained momentum, cloud computing has become a valuable tool for backup of patient records. The Health Insurance Portability and Accountability Act (HIPAA) Security Rule generally requires that providers maintain backups of patient records. 

The APA Practice Organization (APAPO) provided a basic introduction to cloud computing in October 2011. This article goes more in-depth regarding privacy and security and discusses other options for electronic record storage. 

What is Cloud Computing?

Cloud computing is a method of saving data in an off-site storage system maintained by a third party. Cloud computing affords providers the convenience of accessing patient records from virtually anywhere. Additionally, cloud storage spares the expense of purchasing services or additional computer hardware for electronic storage, and thereby eliminates the need to maintain a large information technology (IT) system on site. It also limits the risk that your files will be lost should an unforeseen event affect your office — such as fire, flood or burglary. By maintaining your records “in the cloud” and not in your physical office space, your patient records are no longer vulnerable to these risks. 

How is cloud computing different from office-based record keeping?

When utilizing a cloud storage system, copies of files are sent over the Internet to a data server where the information is recorded and saved. To retrieve the information, the server is generally accessed through a website portal by utilizing a unique username and password. This site allows the provider to access and edit patient files on the server, or it can be used to retrieve files that can then also be saved on the psychologist’s computer. 

Unlike maintaining hard copy records in your office or on your personal computer, storing data on a cloud storage system means the data can be accessed from any location with Internet access or from a mobile device such as a cell phone or tablet. This could offer more flexibility and convenience for psychologists who practice in rural areas or from multiple locations. 

How do you determine if the Cloud is HIPAA compliant? 

The first step is to research different Cloud computing options. Many sites will indicate that they are Health Information Portability and Accountability Act (HIPAA) compliant on the webpage. When looking at these products, psychologists should look for the option that indicates it is secure for health care providers — many vendors offer more basic versions that may not be HIPAA compliant. If you are unsure, contact the vendor to request more information about their product's HIPAA compliance and available security settings. Some products that claim to be HIPAA-compliant include Carbonite, MozyPro and Sookasa. (APA/APAPO does not endorse any particular products.) 

In order to secure data, most cloud storage companies utilize security techniques such as encryption and authentication. 

  • Encryption uses an algorithm to encrypt or encode the information sent to the cloud. When this information is transmitted to the cloud storage site, it displays as a set of symbols. In order to decode these files, an encryption key (similar to a password) is needed to unlock the data. It is important that you maintain your encryption key in a safe spot and that you do not share it with anyone who is not allowed to have access to your records. 
  • Authentication processes require the psychologist to create a user name and password in order to access the cloud storage site and the files that have been saved within it. Authentication should not be confused with the encryption key. The password will get you access to the cloud while the encryption key will allow you to read the information once you are inside. 

How expensive is cloud computing? 

There is a broad range of cloud computing products and pricing may be based on several factors: 

  • The data storage plan that you choose will affect how much you will pay. That is, the more storage space you need, the more you can expect to pay. 
  • Vendors will often charge an initial start-up cost (which varies according to vendor). 
  • The cloud vendor you choose will likely charge you an additional subscription fee on a monthly or annual basis. Generally, cloud computing subscriptions range between $150-$300 per year and pricing is based on the aforementioned factors. 

What are other options for electronic storage of records? 

Many providers want to maintain control of their data and are not comfortable with it being saved on a remote server managed by a third party. Providers who share this concern should know that there are alternatives for psychologists who would like to save data electronically. It is important to note that in the event of a disaster (as detailed above) these methods will not necessarily protect data in the same way as it would be protected in a remote cloud. 

  • Personal cloud storage gives psychologists the convenience of a cloud computing system but the security of personal storage. Providers store files on a local drive and maintain full control over the data while still being able to access patient files remotely. Personal Cloud storage units look similar to an external hard drive or router but use Ethernet cords to connect to an internet router. If a personal cloud device is used, place it in a different location from the original versions of client files (paper or on computer). By keeping the device separate, you are better protecting your client records in case of disaster such as fire, tornado or flood. 
  • External hard drives provide extra storage for psychologists who want to back up their client files. While external hard drives provide back-up services, they cannot be accessed remotely. They are simply used as a method to back up existing records in your practice. External hard-drives should also be stored in a secure manner, such as a locked fireproof file box, in a location that is separate from client records. 
  • Flash drives allow for the easy transfer of files from one computer to another. However, they should not be considered as long-term backup of client files as they can be easy to lose. For those providers who may have multiple offices or work in rural settings, flash drives will allow the provider to save information and transport it. It is a good idea to purchase a flash drive that provides extra protection such as encryption or requires a password to unlock.
Please note: This article does not provide legal or technical advice and does not endorse any product mentioned in the article. The information in this article should not be used as a substitute for obtaining personal legal and technical advice and consultation prior to making decisions regarding individual circumstances.