When the HIPAA Omnibus rule first came down the pike this past January, Jones issued a "prediction" that "business associate negotiations with cloud providers would get very tense … vendors would try to contractually disavow as much as they can."

So far, "in my experience, that has proven correct," she said.

When negotiating BAAs, "be prepared for the back-and-forth," said Jones. "And be prepared to see language that is completely unfamiliar to you, even if you've negotiated BAAs before," as vendors attempt to shield themselves from risk.

It may take "several, several rounds to get to a place where the provider and the business associate are both comfortable with the language," she said. "But go into it with the mindset that it's going to land eventually. You might circle the airport a few times, but you'll get there."

Stephanie Musso, RN, privacy officer at Stony Brook University Hospital on Long Island, agrees. "It's going to be challenging at times," she said.

At Stony Brook, "It was not easy to negotiate the business associate agreement," said Musso. "We had to relook at the vendor's storage security. They were, needless to say, a bit put off that we were asking them all these questions about the security of their cloud: 'Don't you trust us? We've been working with you for 12 years!' This is beyond trust. We have to dot the i's and cross the t's."

The BAAs "were not the easiest things to negotiate, but they did get done," she said.

But going forward, Musso wonders how many companies will have the inclination to go through this rigorous – and take on added liability.

"It's going to be a very interesting climate, identifying those vendors willing to jump into or stay in the healthcare realm with their cloud storage, and those who are not willing to because they don't want to jump through hoops," said Musso.

'We're protecting the privacy of our patients'
Speaking at the Healthcare IT News Privacy & Security Forum in Boston on Sept. 23, Phil Curran, chief information security officer at Cooper Health System in Camden, N.J., outlined the rigorous steps his hospital took to vet its cloud providers.

"The technical evaluation is an ongoing process," he said. "And once we're done with the tech evaluation, we'll send a team out to do a physical visit to the operations center of the vendor that we're looking at."

He added, "Many vendors don't like us, that we do this, but my opinion is that we're protecting the privacy of our patients. I really don't care about vendors' feelings."