The Administration’s recent promise to introduce legislation based on the Consumer Privacy Bill of Rights has brought the integrity of personal data to the forefront. Arguably one of the most personal manifestations of these issues occurs in the health industry, as consumers have every right to demand greater protections of their personal health information (PHI).

The recent wave of wearable tech manufacturers — including Jawbone, Fitbit, and even heavyweights like Apple — are moving at lighting speed to crunch the numbers on aggregated health data. With the market for cloud-based electronic health record services forecast to quadruple to $6.7 billion between 2011 and 2018, the scope of PHI that could potentially be subjected to industrial-strength data mining technologies is broader than ever. Although the Health Insurance Portability and Accountability Act (HIPAA) offers a starting point for patient privacy, cloud providers in the health industry must do more to safeguard health data.

The patient’s only line of defense
A reasonable starting point: companies must adhere to a new code of practice recently released by the International Organization for Standardization and the International Electrotechnical Commission (ISO/IEC), non-profit organizations that publish voluntary international standards on technical matters.

As it stands, HIPAA allows healthcare providers to use health information without a patient’s consent in certain circumstances: to treat the patient, to obtain payment for medical services, and to improve operations of the health care facility. HIPAA requires health providers to obtain consent before using patient data for marketing, which means “any communication about a product or service that encourages recipients to purchase or use the product or service.”

I use, therefore I consent
The consent provision can pose problems when a healthcare provider uses a cloud service that relies on mining data to bolster its bottom line. This is often because companies write their terms of use in such a way that consent is implied. Indeed, both Amazon Web Services and Google equate using their cloud services to consenting to most advertising-related uses of personal data.

Some advocates may contend that in those circumstances, patients should simply visit healthcare facilities that use cloud service providers (CSPs) whose values align with their own. But this is not how people make decisions about their health. A 2012 survey found that location, quality, and interpersonal characteristics are among the most common factors that patients consider when selecting a physician. And in cases where a specialty is needed, patients may not have the luxury of discriminating beyond a few basic factors.

Even trained medical professionals can make mistakes when using cloud products to deliver their services. In 2012, a two-physician office in Phoenix was fined for violating HIPAA requirements by using a publicly-available cloud-based calendar to schedule appointments, and in 2013 the Oregon Health and Science University ran afoul of HIPAA by using a cloud-enabled spreadsheet to track patient information.  Patients cannot rely on healthcare providers to exhibit adequate adherence to HIPAA.

A new code of practice
A 2013 update to HIPAA’s privacy standards put greater restrictions on profit-making uses of PHI but did not go far enough. With the update, cloud providers have the option of adopting stronger voluntary privacy standards. Released in August 2014, the ISO/IEC code of practice (known formally as 27018) outlines standards for how providers of public cloud services should handle personally identifiable information). Though there is some overlap with HIPAA, the ISO/IEC code of practice draws several important distinctions:

• Separating consent from use: Although both HIPAA and the code of practice require CSPs to obtain consent before using personal information for advertising purposes, ISO/IEC go further by prohibiting CSPs from making consent a condition for using the service. This breaks with the all-too-common practice of embedding consent in the terms of use, thereby giving the patient greater control over his or her data.

• The right to be forgotten (or at least deleted): The ISO/IEC code of practice also requires cloud providers to “implement a policy for the return, transfer or disposal of personal data, for instance when the service comes to an end.” HIPAA has no such provision. Although ISO/IEC only extend the “right to be forgotten” to certain circumstances, protections like this give patients peace of mind that the systems storing their PHI will not be floating unprotected in the ether for eternity.

• Trust, but verify: Although health providers and their associates are legally bound to adhere to HIPAA’s requirements, there is currently no credentialing body that certifies entities for HIPAA compliance. By contrast, the code of practice offers CSPs a mechanism to undergo scheduled third-party audits in order to verify ISO/IEC adherence.

Call to action
Establishing a clear, readily-identifiable certification could help prevent incidents such as the Oregon and Phoenix infractions mentioned above. Moreover, an objective third party can help patients and health providers navigate the ever-shifting sands of CSP privacy policies — which companies can alter at any time.

In an ideal world, the measures outlined above would be mandatory for all cloud providers in all industries. For the time being, however, doctors and patients will have to vote with their feet by engaging with CSPs who voluntarily submit to the more demanding ISO/IEC standards. Companies that do so will be sending a strong signal to the marketplace of their commitment to protecting the privacy of health data.

Julie Anderson is a SafeGov expert in government and organizational transformation. She previously served as the senior policy official at the Department of Veterans Affairs as the VA implemented new health care technologies. Prior to that, Julie worked at IBM where she focused on enabling technologies for health care regulators and providers.