Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

2.7 Million Reasons Cloud Vendors and Data Centers ARE HIPAA Business Associates

Posted on July 25, 2016 I Written By

The following is a guest blog post by Mike Semel, President of Semel Consulting.
Cloud backup
Some cloud service providers and data centers have been in denial that they are HIPAA Business Associates. They refuse to sign Business Associate Agreements and comply with HIPAA.

Their excuses:

“We don’t have access to the data so we aren’t a HIPAA Business Associate.”

“The data is encrypted so we aren’t a HIPAA Business Associate.”

Cloud and hosted phone vendors claim “We are a conduit where the data just passes through us temporarily so we aren’t a HIPAA Business Associate.”

“We tell people not to store PHI in our cloud so we aren’t a HIPAA Business Associate.”

Wrong. Wrong. Wrong. And Wrong.

2.7 million reasons Wrong.
Oregon Health & Science University (OHSU) just paid $2.7 million to settle a series of HIPAA data breaches “including the storage of the electronic protected health information (ePHI) of over 3,000 individuals on a cloud-based server without a business associate agreement.”

Another recent penalty cost a medical practice $750,000 for sharing PHI with a vendor without having a Business Associate Agreement in place.

The 2013 changes to HIPAA that published in the Federal Register (with our emphasis) state that:

“…we have modified the definition of “business associate” to generally provide that a business associate includes a person who “creates, receives, maintains, or transmits” protected health information on behalf of a covered entity.

…an entity that maintains protected health information on behalf of a covered entity is a business associate and not a conduit, even if the entity does not actually view the protected health information.  We recognize that in both situations, the entity providing the service to the covered entity has the opportunity to access the protected health information.  However, the difference between the two situations is the transient versus persistent nature of that opportunity.  For example, a data storage company that has access to protected health information (whether digital or hard copy) qualifies as a business associate, even if the entity does not view the information or only does so on a random or infrequent basis.” 

A cloud service doesn’t need access to PHI – it just needs to manage or store it– to be a Business Associate. They must secure PHI and sign Business Associate Agreements.

The free, consumer-grade versions of DropBox and Google Drive are not HIPAA compliant. But, the fee-based cloud services, that utilize higher levels of security and for which the vendor will sign a Business Associate Agreement, are OK to use. DropBox Business and Google Apps cost more but provide both security and HIPAA compliance. Make sure you select the right service for PHI.
Encryption is a great way to protect health information, because the data is secure and the HIPAA Breach Notification Rule says that encrypted data that is lost or stolen is not a reportable breach.

However, encrypting data is not an exemption to being a Business Associate. Besides, many cloud vendors that deny they have access to encrypted data really do.

I know because I was the Chief Operating Officer for a cloud backup company. We told everyone that the client data was encrypted and we could not access it. The problem was that when someone had trouble recovering their data, the first thing our support team asked for were the encryption keys so we could help them. For medical clients that gave us access to unencrypted PHI.

I also know of situations where data was supposed to be encrypted but, because of human error, made it to the cloud unencrypted.

Simply remembering that Business Associates are covered in the HIPAA Privacy Rule while encryption is discussed in the Breach Notification Rule is an easy way to understand that encryption doesn’t cancel out a vendor’s status as a Business Associate.
27864148 - it engineer or consultant working with backup server. shot in data center.
Data Centers
A “business associate” also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate.

Taken together, a cloud vendor that stores PHI, and the data centers that house servers and storage devices, are all HIPAA Business Associates. If you have your own servers containing PHI in a rack at a data center, that makes the data center a HIPAA Business Associate. If you use a cloud service for offsite backups, or file sharing, they and their data centers are Business Associates.

Most data centers offer ‘Network Operations Center (NOC) services,’ an on-site IT department that can go to a server rack to perform services, so you don’t have to travel (sometimes across the country) to fix a problem.  A data center manager was denying they had access to the servers locked in racks and cages, while we watched his NOC services technician open a locked rack to restart a client server.

Our client, who had its servers containing thousands of patient records housed in that data center, used the on-site NOC services when their servers needed maintenance or just to be manually restarted.
37388020 - pushing cloud computing button on touch screen
Cloud-Based and Hosted Phone Services
In the old days, a voice message left on a phone system was not tied to computers. Faxes were paper-in and paper-out between two fax machines.

HIPAA defines a conduit as a business that simply passes PHI and ePHI through their system, like the post office, FedX, UPS, phone companies and Internet Service Providers that simply transport data and do not ever store it. Paper-based faxing was exempt from HIPAA.

One way the world has changed is that Voice Over Internet Protocol (VOIP) systems, that are local or cloud-based, convert voice messages containing PHI into data files, which can then be stored for access through a portal, phone, or mobile device, or are attached to an e-mail.

Another change is that faxing PHI is now the creation of an image file, which is then transmitted through a fax number to a computer system that stores it for access through a portal, or attaches it to an e-mail.

Going back to the Federal Register statement that it is the persistence of storage that is the qualifier to be a Business Associate, the fact that the data files containing PHI are stored at the phone service means that the vendor is a Business Associate. It doesn’t matter that the PHI started out as voice messages or faxes.

RingCentral is one hosted phone vendor that now offers a HIPAA-compliant phone solution. It encrypts voice and fax files during transit and when stored, and RingCentral will sign a Business Associate Agreement.

Don’t Store PHI With Us
Telling clients not to store PHI, or stating that they are not allowed to do so in the fine print of an agreement or on a website, is just a wink-wink-nod-nod way of a cloud service or data center denying they are a Business Associate even though they know they are maintaining PHI.

Even if they refuse to work with medical clients, there are so many other types of organizations that are HIPAA Business Associates – malpractice defense law firms, accounting firms, billing companies, collections companies, insurance agents – they may as well give it up and just comply with HIPAA.

If they don’t, it can cost their clients if they are audited or through a breach investigation.

Don’t let that be you!

About Mike Semel
Mike Semel is the President of Semel Consulting, which specializes in healthcare and financial regulatory compliance, and business continuity planning.

Mike is a Certified Security Compliance Specialist, has multiple HIPAA certifications, and has authored HIPAA courseware. He has been an MSP, and the CIO for a hospital and a K-12 school district. Mike helped develop the CompTIA Security Trustmark and coaches companies preparing for the certification.

Semel Consulting conducts HIPAA workshops for MSPs and has a referrals program for partners. Visit for more info.

Email is Not HIPAA Secure

Posted on December 23, 2010 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

An interesting discussion happened in the comments about HIPAA secure fax services in regards to the security of email. Being a tech person who formerly managed a few different corporate email systems, sometimes I forget that many people don’t understand some of the details about the security (or lack of security) that’s provided by email.

The short story is: Email is NOT HIPAA Secure (at least in 99% of cases)

There is a way to encrypt email sent between 2 email systems, but so far a standard and mechanism for encryption between all the vast number of email providers has not been established. I won’t go into the details of why this is the case (cost of encryption, standards for encryption, etc), but suffice it to say that almost none of the email systems send encrypted email that would satisfy the HIPAA requirements.

In fact, most times when an EMR, PHR or other patient portal wants to send a secure email/message to someone they send an email which contains a link to an encrypted website that has a unique login. The reason they do this is because there’s no recognized and adopted standard for encryption of email. However, presenting Protected Health Information (PHI) through an encrypted webpage where someone has a unique login is HIPAA compliant and doesn’t require the receiving email system to understand the encryption. It’s a pain, but it’s the reality of privacy of health information right now.

One of the major reasons that many people think that email is secured is that a number of email providers (Gmail being the most famous for this) turned on encryption for all of their users. The misunderstanding is that this encryption is just for users logging in to check, read and send their email. It does not encrypt the email as it it sent from Gmail to the destination email system. Aleks, from Sfax described it similar to a postcard. It’s open where anyone listening can see what’s in the email with no traces left behind.

The only security email partially offers in this manner is the volume of emails that are sent. There’s such a huge volume of useless emails that there’s some security by obscurity benefits. Although, that security doesn’t meet well with the HIPAA requirements. Plus, remember that one thing that computers are great at doing is crunching large amounts of data.

One minor exception that I might make is that if you’re sending email in an internal email system, then it’s possible to set up email encryption. This is possible because you control the email system for the sender and the receiver and so there are ways to do this. However, I know very few people that have actually set this arrangement up. Probably because if they are on your internal email system they usually have access to your EMR and all the PHI can remain in the EMR instead of your email system.

Now many have said that you shouldn’t use the free email providers like Gmail. After reading this it should be clear. You shouldn’t use ANY email provider for sending PHI. So, whether you use Gmail or some other free email provider it shouldn’t matter since I’m sure you won’t be sending any PHI through email any more.

Of course, I’d recommend you use the free Google Apps version of Gmail since is so much more professional than Although, that’s kind of a topic for a different discussion.

When EMR Software Became Free…Or Does It Cost

Posted on July 14, 2008 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I’ve been meaning to write about a new Free EMR for a while. One of my most blogged and searched about topics is free EMR. I guess everyone loves to get something free. Why should free EMR be any different?

The problem with free EMR is that while it may be free from a financial perspective there are always other costs associated with free EMR. Here’s an example of a parts of an email I recently got about a new Free EMR. The company is called Practice Fusion and the following is excerpts from the email I received:

Today we have a press release going out (below) about Practice Fusion releasing a suite of physician applications, including Practice Management, Scheduling, Secure Email and Patient Management that are free and web-based. These are effectively ‘Google Apps’ for doctors – everything a practice needs to run their office, manage and schedule their patients, communicate with other members of the office – all web-based and at no cost.

I really liked the marketing angle that this company is taking. I personally am a devoted google apps user and I absolutely love what google apps is doing for me. Google apps is a completely free application that gives my businesses (EMR and HIPAA included) a whole bunch of business services with my very own branding. Most important of which are Email and Google documents. In return for using this free service, Google puts ads around the various services. A small price to pay for me to receive free email.

Turns out, Practice Fusion is offering a free EMR using the same model as Google Apps. My email described Practice Fusion’s free EMR revenue model as follows:

We generate revenue by embedding advertising, including pharmaceutical products, into our physician tools. We also incur revenue through the sale of anonymized patient data to research groups, pharmaceuticals, and health plans.

Basically, their planning on selling ads around people’s patient information. People are still freaking out about Gmail and Google apps placing targeted ads around their email. Why? Because in order to target the ads properly, that means Google has to search all of your “private” emails. Does this mean that Practice Fusion is going to be searching through all of your patient data?

Being completely honest, I personally don’t have much to hide and so Practice Fusion could have a hey day looking through my health information. However, I’m not sure most patients will share my same view. My guess is that most patients would feel very uncomfortable going to a doctor that is using a service like this. I think they’ll feel like their doctor was selling their information to save a buck. It might be one thing if the patient saved some money too, but that’s not going to happen.

Certainly a doctor using this free emr didn’t have to tell their patients that it was paid for by advertising and getting their information sold. However, could you imagine the backlash that would occur if they didn’t tell their patients and then someone found out. I’m honestly not sure how many doctors would want to take that risk. Sounds like the perfect 11 o’clock (it’s later in Vegas) news story to me. Lead Story: “Doctor Sells Patients Data to Save Money.”

Maybe I’m wrong and people won’t care about this or those that do care won’t find out. If that happens, then it’s hard for a doctor to argue with free. I personally haven’t looked at the feature set to know how it compares to other EMR vendors. However, there’s no arguing some of the benefits described in the email I received:

Practice Fusion offers a unique product to small and medium sized physician practices, which was developed using Adobe® Flex® 3 software for creating Rich Internet Applications (RIAs). Practice Fusion’s solutions are web-based, require no upfront costs, no extra hardware, no large software applications to install and rollout, and no backend databases, which are required by traditional vendors such as Misys and NextGen. Where enterprise solutions may take weeks or even months to implement, Practice Fusion’s services utilizes its exclusive ‘Live in Five’ process to enable physician practices to be deployed and up and running within minutes.

Web Based – Awesome! Certainly the future of almost every software application.
No Upfront Costs – Nothing to lose, but also no motivation to avoid EMR implementation failure either.
No Extra Hardware – Very nice for the doctors. Not so much for the IT support people.
No Large Software Applications to Install and Rollout – I hate managing client applications. This is a big plus.
No Backend databases – This isn’t really true since they certainly have a back end database, but the point being you don’t have to manage the backend database. A nice benefit for most doctors.

Now a word about Practice Fusion’s “exclusive ‘Live in Five’ process.” I’m certain that it is true that they can create an instance of their EMR in 5 minutes. However, don’t be misled to think that you can spend 5 minutes and have a fully functioning and fully configured EMR. It’s just not reasonable to think. It’s a nice marketing angle, but it’s just impossible.

Think about this for a second. Assuming a very small practice of 5 staff. It’s going to take you somewhere around 5 minutes just to gather the information and create the user accounts for your 5 staff members. Now add in the myriad of other configurations you’ll certainly have to do and you start to realize that your EMR won’t be setup and ready to go in 5 minutes. In fact, my experience is that the EMR configuration process is an ongoing process that never ends. Practice Fusion’s free EMR could certainly argue that setting it up is faster than setting up other traditional EMR softare, but don’t be fooled by the “Live in Five” marketing.

One final thought before I end this. Let’s go back to my current Google Apps experience. What do I do if Google changes their mind and shuts down their service? There’s not really much you can do. Google’s giving you a free service which they can terminate at any time. Luckily a number of creative IT users have found ways for people to backup their email stored on Google servers.

I finally found a link to this topic buried on the Practice Fusion website. Most of that page talks about how their more reliable than an in house system. Interesting that they didn’t address what happens when your internet goes down and you’re left up a creek without a paddle, but that’s a topic for a different post.

The thing that isn’t addressed by Practice Fusion is what happens if Practice Fusion disappears. Sure, it would be nice to think that Practice Fusion will be around forever and it’s great for them to have that confidence, but it’s just not realistic. What if Practice Fusion sells to another company? What if Practice Fusion goes under? What if the free EMR model doesn’t work and Practice Fusion decides to start charging?

It does alleviate some fear that at the bottom of the linked page Practice Fusion says “It’s your data – always.” However, we’re not talking about a bunch of linear data like email. We’re not talking about something in a standard format that can easily be exported between one software to another. We’re talking about Practice Management, Scheduling, Secure Email, Electronic Medical Record and Patient Management. How do you expect them to provide you a “copy” of this data? Would be an interesting experience to try and see what they provide and how responsive they are to the request.

I’m not trying to be overly critical of Practice Fusion. Maybe they have a great product that’s worth every penny. Wait, of course it’s worth every penny since it’s free. Sorry I couldn’t resist. My point here is that doctors should be careful when evaluating free EMR software. There are certainly benefits to a free hosted EMR solution. Just don’t be blown away by the free tag and make sure you know the challenges of free.

By the way, I hope that Practice Fusion will respond to my various assertions and comments with a response in the comments. They seem like they’re pretty tech savvy. Just the fact that they have a Practice Fusion Blog is enough for me to give them some props (even if they did use typepad and not wordpress). You can expect some future blog posts linking to their blog.