OpenEMR hosting on Amazon Cloud

burt brown
  • burt brown

    burt brown - 2014-02-15

    Does anyone have experience in regards to installing openemr on the Amazon cloud. Know how download the system on our server but there takes some special consideration when doing it especially to ensure that HIPAA parameters are in place.

    • Tony McCormick

      Tony McCormick - 2014-02-16

      First you need to gry a signed BAA from Amazon. They will do that now.

      Tony McCormick
      On Feb 15, 2014 2:16 PM, "burt brown" wrote:

      Does anyone have experience in regards to installing openemr on the Amazon
      cloud. Know how download the system on our server but there takes some
      special consideration when doing it especially to ensure that HIPAA
      parameters are in place.

      OpenEMR hosting on Amazon Cloud

      Sent from because you indicated interest in

      To unsubscribe from further messages, please visit

      Please be aware that e-mail communication can be intercepted in
      transmission or misdirected. Please consider communicating any sensitive
      information by telephone. The information contained in this message may be
      privileged and confidential. If you are NOT the intended recipient, please
      notify the sender immediately with a copy to and
      destroy this message.

  • Pieter W

    Pieter W - 2014-02-16

    How do I translate "gry a signed BAA" in general practitioners terms, or do I have to read the hosting on Amazon article first?

  • fsgl

    fsgl - 2014-02-16

    Anyone who handles medical information in the U.S. is bound by law to protect the medical records.

    Here is the CMS (Medicare) definition of the Trading Partner Agreement:
    "The Centers for Medicare & Medicaid Services (CMS) is committed to maintaining the integrity and security of health care data in accordance with applicable laws and regulations. Disclosure of Medicare beneficiary eligibility data is restricted under the provisions of the Privacy Act of 1974 and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Medicare beneficiary eligibility transaction is to be used for conducting Medicare business only.

    In its administration of the Medicare Fee For Service (FFS) program, CMS is a covered entity under the HIPAA rules. This Trading Partner Agreement serves to identify entities external to CMS that will exchange HIPAA compliant electronic transactions with CMS applications. The information collected will enable CMS and the Trading Partner to establish connectivity, define the data exchange requirements, and stipulate the responsibilities of the entities receiving CMS-supplied beneficiary eligibility information."

    Before a practice transmits medical records to a recipient, who is not part of that practice, a prior agreement must be obtained from that recipient to safeguard those records as provided by law.

  • Pieter W

    Pieter W - 2014-02-17

    If I am a medical doctor and have worked for more than 25 years without EMR. There comes a thief and steals records before the police can handle and I was on vacation. Is this a U.S bound by law and a breach of sufficiently protecting the records?

    Now I am working on the net. Someone passes the built in security..... login password, several protection measures, but he/she steals because they know how to dig into the directories of the fifth level, as was just posted in another tread. Is this not more or less the same? you do your best to protect, but someone hit the correct buttons/breaks te window..... etcetera, etcetera etc....

    If you do not give a correct Login and correct Password you can not Login and can not see what directories you can find in the next level directories (please correct me if this statement is wrong. So only insiders that have been in the directories can take a view at what Directory to go for more info. In my opinion this illegal intruder is a thief and should be punished as such. Not the person that tried to protect is a criminal, but the person who did the criminal act and is able to find things that should be hidden for outsiders.

    Please give me your opinion, not the lawyer that accuse without knowledge of how easy it is to steal a laptop.

  • Tony McCormick

    Tony McCormick - 2014-02-17

    A business assoc agreement (BAA) is a document that acknowledges that you and your business partner, whether a technology partner, employee or a consultant will have direct or indirect access to Protected Health Information as defined by the HIPAA Omnibus law. Mostly you are agreeing to make an effort to avoid breaches and to report them whether malicious or accidental to the effected parties.

    Only a few hosting providers will sign that agreement, almost none of them with individuals, only other vendors/resellers.

    The fines for a discovered breach that YOU did not report can be up to $15,000 per incident. If you report it diligently they are forgiving and may not fine you at all.



  • Tony McCormick

    Tony McCormick - 2014-02-17

    Note: if you have PHI on a mobile device or thumbdrive that is lost or stolen and is NOT encrypted you will be fined if the breach is discovered.

  • Pieter W

    Pieter W - 2014-02-17

    It all boils down to the Fort Knox rules. I do the utmost to not them steal, and if they manage to steal I report the obvious as soon as possible. Some things can be seen more clearly as others during the stealing process. Stealing a lap-top is not accepted but definitely a daily issue. Stealing from the Internet is still high profile business.

    Thank you for this extensive explanation(s).

    I will get my thumb-up devise to get almost full protection. I remember I was shot and those idiots put my thumb on my devise to open OpenEMR to see that I did not have AIDS related complaints.

  • fsgl

    fsgl - 2014-02-17

    The maximum penalty for the violation of HIPAA, if the medical information is use to gain a profit, is $25K and or 10 years in prison. It may come down to the discretion of the prosecutor how the law is interpreted and if they want to throw the book at you.

    The most disturbing aspect is the fact that the medical records can be stolen electronically and we have no inkling that it occurred. On one hand the federal government will penalize us if our EHR's are hacked but on the other hand the same government will punish us if we don't enable Patient Portals.


Log in to post a comment.