Do laws control the clouds?

By Jeff Rowe
10:08 AM

In an age so defined by technology, two seemingly contradictory assertions seem pretty safe.

First: the legal system will always be playing catch-up to technological change. Second: those who decide to use new technologies would do well to understand current law, regardless of whether or not it’s up-to-date.

Take, for example, the use of cloud computing to store personal health information.

In an age so defined by technology, two seemingly contradictory assertions seem pretty safe.

First: the legal system will always be playing catch-up to technological change. Second: those who decide to use new technologies would do well to understand current law, regardless of whether or not it’s up-to-date.

Take, for example, the use of cloud computing to store personal health information.

As these attorneys ask: “Can HIPAA-covered entities (e.g. health care providers and health plans) store protected health information (PHI) in the cloud and still comply with HIPAA privacy and security regulations?”

Given the growing interest in cloud services among healthcare providers, that question will likely be on the minds of a growing number of people. And the answer, these attorneys say, is: “It depends. It depends on the cloud computing service provider and how that provider sees itself and its obligations to protect the privacy and security of the data.”

While that may seem a somewhat slippery answer, by the end of their article they’ve done a good job of tracing a pretty clear path through what remains, if you will, a fairly cloudy issue.

For starters, they point out that “Business associates include those third parties that provide data analysis, processing or administration, as well as those that perform any other function or activity regulated by the Privacy Rule.” Given both this definition and the role played by cloud computing providers, “it seems clear to us that cloud computing providers who provide these services to HIPAA-covered entities are business associates.”

But unfortunately, not all cloud computing providers see it that way. “In fact, most cloud computing providers do not deal exclusively with health care providers and health plans, so the concept of being a business associate, frankly, might be a foreign concept to them.”

So what’s a provider to do? Well, you might say providers need to “trick” the cloud service provider into being a business associate. Or, put in less nefarious terms, “when entering into a service agreement with a cloud computing provider, a covered entity should ensure that the cloud computing provider agrees to the terms of a business associate agreement, which usually is in the form of an amendment to the underlying service agreement.”

In other words, healthcare providers should make sure that cloud providers agree to the services necessary to render both providers HIPAA-compliant, regardless of whether or not the cloud providers consider themselves legally obliged to do so.

For policymakers hoping to help providers through the HIT transition, this is just one example of how encouraging that transition may involve helping providers and would-be associates navigate a still-unclear legal landscape.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.