Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and EHR for FREE!

EHR Hosting Demystified – What to Look For (and Look Out For), on Your Way to the Healthcare Cloud

Posted on March 15, 2016 I Written By

The following is a guest blog post by Joe Cernik from eMedApps.

As I write this post I’m trying to reach the cloud. I’m on my third-in-a-row delayed flight segment on this week’s business trip – ARGH!  Ascending to the cloud these days is mostly easy though. My music is there, as are my photos, bank accounts and even my fitness stats collected on my wrist while I’m jogging or while I’m sleeping. Cloud computing has become ubiquitous and healthcare has embraced the transition. Health IT vendors are rapidly migrating EHR, PM and RCM solutions from client-server formats to on-demand, pay-as-you-go cloud hosted solutions.

According to healthcare analyst IDC, organizations that use on-site data storage spend 32% more on IT support than organizations that use an outside hosting provider. From infrastructure costs of servers and support staff to application deployment and ongoing maintenance costs, on-premises software can be a high-touch, high-cost model. Most EHRs are either in the cloud today, or claim cloud compatibility. The cloud promises scalability, interoperability and business continuity – but where do you start to evaluate solutions and define your own path to the cloud?  Here are a few basics to get you going.

Ready, set, cloud….

Step 1: Understand hosting and cloud approaches and determine which type is right for you.

Insourced Hosting: A model also called managed services, managed client-server, or managed on-site hosting, where the hosting vendor provides end-to-end management of your complete EHR/PM system including the hardware and software systems installed at your facility. In essence, your hosting vendor becomes a member of your team, in-house, and manages the infrastructure that you own – generally in a client-server configuration. You’re not in the cloud yet, but this may be a first step in that direction if you’re ready to get out of the EHR/PM management business.

Outsourced Hosting: Also called remote hosting, hosted off-premise, and cloud hosting, outsourced EHR hosting locates your critical EHR/PM applications in a datacenter facility – outside of your LAN-based practice or clinic. EHR and patient data is stored on remote servers accessed via secure Internet connections. Fully outsourced remote hosting shifts the expense of procuring, managing and maintaining your EHR application and servers from your facility and your IT team to a fully managed datacenter. Servers are owned, managed, and refreshed by the hosting company.  Now, you’re in the cloud.

Hybrid Model Hosting: Also called hosted client/server in the cloud and managed hosting, this model allows your organization to place your servers into a secure datacenter. This hybrid model between insourced hosting and outsourced hosting allows your organization to leverage existing capital investments in servers and investments in EHR application licenses, but moves the ongoing management and maintenance of this infrastructure investment to an internet accessible, secure remote site. Rather than installing and managing your application on a server in your office, the installation is managed on your server(s) in a controlled data center environment. Your users log into your remote server through a web browser.

Step 2: Understand Compliance and Regulatory Considerations (HIPAA, PHI, MU) Before You Sign a Contract

Your EHR hosting partner should be an EHR application expert, have demonstrable hosting expertise, and meet all regulatory and security protocols.  While this statement may seem obvious, note that no matter which type of hosting solution you consider or eventually adopt, your hosting provider and their facilities must meet all physical, procedural, operational, and technical readiness criteria established for hosting of protected healthcare data. Make certain to evaluate partners for compliance with all HIPAA/HITECH rules and, for outsourced or hybrid solutions, SOC 2 Type II and SOC 3 centers with certificates including: PCI DSS Level 1 and SSAE 16.

Step 3: Evaluate the Costs

Because there is no upfront cost for the software, and an organization is not required to buy a server, a cloud-based EHR may be less expensive than the onsite client/server setup. If one of your greatest hurdles to adopting an EHR is the initial cost of installation, an outsourced hosting model may be worth considering.

Some practices may also prefer to view their EHR expenses as a recurring operational expense (similar to a utility bill) rather than a capital investment. If your practice or clinic has already invested in on-premises infrastructure but want to consider a move to an outsourced hosting model, a hybrid approach may be a good first step with a full transition to an operational expense model on your next hardware refresh cycle.

Models vary among hosting vendors, and some vendors offer contract terms and conditions that offer hosting packages tailored to your revenue projections or offer low introductory pricing that increases over time. Variable models should be evaluated over a five-year cost-of-ownership timeframe to accurately compare costs across vendor plans.

Clear the fog…move to the cloud.

The way organizations procure and deploy IT infrastructure is undergoing a significant transformation. Don’t be confused by the transition – cut through the fog and get to the facts on a hosting solution that will help you meet your business AND patient care goals.  That solution may include ascending to the cloud – there’s a lot of great music already there. Now, let’s see if my plane will make it into another type of cloud today.

The Sneaky Healthcare Cloud

Posted on April 11, 2013 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @ziegerhealth on Twitter or visit her site at Zieger Healthcare.

Folks, I’ve read countless reports about the growing emergence of the cloud in healthcare. The thing is, many are studies summarizing broad trends in the industry, rather than news about specific providers who are willing to stand up and say that they actually implemented a cloud solution to house their healthcare data.

If hospitals and health systems are indeed adopting cloud solutions, why aren’t we hearing more about their experiences?  I have a few theories:

*  Migration:  Organizations that move from a legacy data management system to a cloud-based infrastructure have a lot of work to do. These folks probably don’t want to discuss what they’re doing until they’re pretty sure they’ve gotten the job done right.

Outsourcing:  Some healthcare leaders are outsourcing their cloud operations, but they’re not ready to scream to the rooftops that they’ve done so. My feeling is that they want to feel more confident about the relationship before they broadcast what they’re doing.

Security:  If a healthcare facility goes with the cloud, IT leaders there are probably pretty comfortable with cloud security, but I’m sure they don’t want to invite cybercriminals to put them to the test.

Politics:  Implementing the cloud for clinical data management may be a perfectly fine solution, but perhaps those facilities who have gone that way would rather not face criticism from outsiders who don’t agree with them.

Ultimately, the debates over cloud security may die.  As David Linthicum of HealthDataManagement notes, studies suggesting that even the public cloud can be secure are rolling in. (A recent study cited by Linthicum concludes that anything that can be accessed from outside, be it enterprise or cloud infrastructure, has an equal chance of being attacked.)

But for the time being, it seems pretty clear that hospitals aren’t going to hang out banners on their campus boasting about their cloud data infrastructure. Let’s see what happens over the next year or two.

Apps Will Drive Healthcare Cloud Expansion

Posted on January 7, 2013 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @ziegerhealth on Twitter or visit her site at Zieger Healthcare.

Right now, only a small percentage of the healthcare industry is making use of cloud technology, largely due to security concerns.  But as the number of applications available in the cloud continue to expand, and vendors do more to meet  healthcare’s specific security needs, providers are getting more comfortable with the idea of using the cloud.

While I mined the following information from a cloud vendor’s blog, I still think it’s pretty credible, so I wanted to share it with you readers and see what you think.

According to a report from cloud vendor CenterBeam, drawing on data from research firm MarketsandMarkets, only 4 percent of the healthcare community used cloud technology in 2011.  However, MarketsandMarkets projects that the cloud use in healthcare would hit $5.4 billion by 2017, the story says.

I might have dismissed that as hyberbole, as the cloud seems to be more about talk than action so far, but then CenterBeam had me hooked.

Apparently, MarketsandMarkets has found that there’s a growing list of applications available on the cloud which weren’t there previously. We’re talking not only about EMRs, but also order entry and software for imaging and pharmacy uses, as well as non-clinical applications for billing, cycle management and claims management. It’s a big step forward.

Will all of this explode in 2013?  I doubt it, given how busy providers are with the EMR applications they’ve got, ICD-10, Meaningful Use and the usual string of IT operational issues to boot.

That being said, when it comes down to it, applications are what drive a new technology, not abstract capabilities which merely sound good.  After all, these days, who’d care about the iPhone without apps? And along those lines, why would providers risk mingling their data with others’ on the cloud unless they saw a real financial and practical upside? New healthcare apps offer that upside.

So with new, hopefully mature health IT applications appearing on the cloud, we may see that expansion that everyone’s been talking about for years now.  It should be quite interesting to watch.

Privacy Group Seeks Rules For Healthcare Clouds

Posted on January 4, 2013 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @ziegerhealth on Twitter or visit her site at Zieger Healthcare.

It’s time for HHS’ Office for Civil Rights to release “strong guidance” on cloud computing in healthcare, according to a letter sent by advocacy group Patient Privacy Rights. The letter, sent by PPR president Deborah Peel, argues that the transition to EMRs will be hampered if patients aren’t confident that their medical information is protected wherever it goes, including the cloud.

“More specific guidance in the health care ecosystem would help ensure that cloud providers, health care professionals and patients alike are aware of how the privacy and security rules apply to clouds,” Peel writes.

Peel suggests that HHS rely on lessons learned from the recently-settled Phoenix Cardiac Surgery case, in which a medical group was fined $100,000 for HIPAA violations including exposing clinical and surgical appointments on a publicly-available Internet calendar.

Specifically, Peel recommends the following standards be established:

Security Standards: Security standards must be implemented that are consistent and
compatible with standards required of federal agencies including the HIPAA Security
Rule and the HITECH breach notification requirements.

Privacy of Protected Health Information: Standards must be included that establish the
appropriate use, disclosure, and safeguarding of individually identifiable information,
which take into account stronger state and federal requirements, Constitutional rights to
health information privacy, and the fact that HIPAA is the “floor” for privacy protections
and was never intended to replace stronger ethical, or professional standards or “best

BAA Requirement and Standardization: Consistent with prior OCR guidance, any
software company given access to protected health information by a HIPAA-covered
entity to perform a service for the covered entity is a business associate. Thus, as OCR
representatives have publicly stated on several occasions, a Business Associate
Agreement (BAA) is required between a cloud computing provider and any customer
entity that uses or discloses protected health information or de-identified health
information. It is imperative that these BAA standards promote the protection of privacy
and security of health information to ensure public trust in health IT systems and promote
quality health care, health care innovation and health provider collaboration.

I was particularly interested to note her suggestion that software companies given access to ePHI sign Business Associate Agreements.  My guess is that some cloud providers would fail miserably if asked to uphold HIPAA standards, simply because they aren’t prepared.  If Peel’s recommendations were enacted, in other words, it could shake up the cloud services industry.  Maybe that’s a good thing, but it won’t be a pleasant one for some.

AT&T/IBM Deal Pushes Cloud Back into the Healthcare Spotlight

Posted on October 10, 2012 I Written By

As Social Marketing Director at Billian, Jennifer Dennard is responsible for the continuing development and implementation of the company's social media strategies for Billian's HealthDATA and Porter Research. She is a regular contributor to a number of healthcare blogs and currently manages social marketing channels for the Health IT Leadership Summit and Technology Association of Georgia’s Health Society. You can find her on Twitter @JennDennard.

I remember 2010 as if it were yesterday. I was somewhat new to the healthcare industry, attending my first Healthcare IT Summit, and trying to make sense of all the buzzwords flying around as a result of the HITECH Act being passed the year before. Cloud computing was definitely a hot topic – one that seems to have stood the test of time in the intervening years. Granted, I think its popularity has been somewhat superceded by phrases like mobile health, accountable care, patient engagement and electronic medical records (of course) over the last 18 months, but a recent flurry of cloud-related headlines may forecast a resurgence.

A report released earlier this year from MarketsandMarkets predicts that conditions are ripe for cloud computing to grow at an annual rate of 20.5 percent from this 2012 to 2017. (Bloomberg Businessweek puts the current market for cloud services at $14 billion.) The forecast makes a lot of sense when you look at it from the healthcare angle of Meaningful Use and EMRs. Providers, despite a few legislators’ recent objections, will likely continue to implement and attest during the next few years, leaving healthcare IT vendors – including those who put their EHRs in the cloud (Allscripts, NextGen and athenahealth are just a few that come to mind) – with no shortage of business opportunity.

And there are even more vendors behind those – the infrastructure folks like Verizon (See their recently announced HIPAA compliant cloud service) and Dell that provide the cloud’s backbone, so to speak. You may by now have seen headlines announcing that AT&T has partnered with IBM to offer a new model whereby “IBM … will provide the data-storage facilities and services, and AT&T will … offer the global network that clients will use to retrieve the data,” according to the Bloomberg write up. It is the closest relationship IBM has ever had with a phone carrier.

Undoubtedly, this new model will be tapped for healthcare purposes, but it’s still speculation as to just how it will be adopted for secure exchange of patient health information. I sent out a few feelers via my social networks to see if anyone related to either IBM or AT&T could provide more detail, and got back this statement from an IBM representative: “I would assume that there will be a HIPAA compliant component. It goes without saying that the healthcare industry is a HUGE segment for IBM.”

“Huge” just might be an understatement, as IBM has stated it wants to attain $7 billion in cloud revenue by 2015. In today’s terms, that’s just one vendor making up the current market value for cloud services.

I’ll be interested to see how this plays out, especially as previously lower profile (at least in the healthcare space) technology companies like Dell and IBM, and companies like AT&T and Verizon that are more widely known in the consumer market, continue to make healthcare IT headlines.