Healthcare organizations are slowly turning to the cloud to run applications. That's especially true for smaller healthcare providers who don't have the IT staff or resources to roll out and support new in-house applications, let alone the hardware, networking, or other IT infrastructure that goes along with it.

Yet, while some healthcare providers are beginning to sign up for SaaS subscriptions for business- and administrative-related applications, they're holding back, still refusing to move clinical software and patient data.

That's the case with Springfield Clinic, a multi-specialty physicians group with 280 doctors serving 2 million patients in 14 counties in central Illinois. Springfield Clinic has been growing rapidly, adding about 30 to 40 physicians a year through recruitment efforts and mergers. It needed a way to bring these doctors into the group quickly and cost efficiently. So, about a year ago, the group began tapping managed application services from cloud-based services provider NaviSite to run and support the clinic's Oracle PeopleSoft financials, payroll, and HR applications.

The cloud makes it easier and more affordable for Springfield Clinic to add capacity to its systems when new doctors join the clinic, said Springfield Clinic CIO Jim Hewitt in an interview with InformationWeek Healthcare. Newly added doctors to the clinic "still need training and conversion" from their previous financial systems, "but we don't need to worry about expanding the IT infrastructure to do this, the hardware or software," he said.

The clinic also is using cloud-based patient portal software from FollowMyHealth to allow patients to view their medical records, securely communicate with physicians, and schedule appointments.

But for their cloud-based patient portal, patients must voluntarily sign up to use the services and give their consent for data to be accessed by them via the Web. "That takes risk out," said Hewitt about some of the issues Springfield worries about. So far, about 14,000 patients have signed up for the service.

But like many other healthcare facilities, Springfield Clinic is not ready to put the data of its 2 million patients in the cloud by moving their EMR to the cloud, said Hewitt. "Our EMR vendor [Allscripts] is looking at SaaS, but there's been push-back from providers like us," he said. Providers have concerns about putting patients' personal health information on the cloud because of Health Insurance Portability and Accountability Act (HIPAA) concerns and liability, he said.

"I'm the custodian of your health records, but you the patient own it," he said."If I as a healthcare provider sign up a SaaS vendor, I've created a business-associate relationship, and patients don't know who has their data," he said. On the other hand, if a patient signs up to use a portal service, they're informed about their data being on the Web, he said.

"If I'm going to take the records of 2 million patients and put it out on the cloud, there needs to be a great level of trust," he said. HIPAA violations--besides risking the trust of patients--can be incredibly expensive to handle for a healthcare provider, he said.

"If I have an incident with 2 million patient records on the cloud, and I have to pay one year of credit protection at $40 a pop for each of those 2 million patients who might've had their identity violated, that's $80 million to start," not to mention federal fines and other fees and costs associated with fixing the problem, he said. With those risks in mind, "we'll do due diligence on SaaS," before moving the organization's electronic medical records or other clinical systems into the cloud.

Find out how health IT leaders are dealing with the industry's pain points, from allowing unfettered patient data access to sharing electronic records. Also in the new, all-digital issue of InformationWeek Healthcare: There needs to be better e-communication between technologists and clinicians. Download the issue now. (Free registration required.)