Healthcare providers, health plans, and other entities are increasingly utilizing cloud services to collect, aggregate, store and process data. A recent report by IDC Health Insights suggests that 80 percent of healthcare data is expected to pass through the cloud by 2020. As a substantial amount of healthcare data comprises “personal information” or “protected health information” (PHI), federal and state privacy and security laws, including the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act, raise significant questions for healthcare providers and health plans utilizing the cloud in connection with such data. Such questions include whether HIPAA requirements extend to cloud providers, how and if entities storing health data on the cloud will be notified in case of a breach, and whether storage of data overseas by cloud providers triggers any additional obligations or concerns.
Given the complex legal issues at play, any contract between a healthcare provider or health plan and a cloud service provider that involves using the cloud in connection with PHI should therefore address the regulatory restrictions and requirements applicable to PHI. By way of example, recent guidance from the HHS Office for Civil Rights suggests that health care providers must likely have a business associate agreement in place with their cloud service provider. Moreover, although cloud providers might not regularly access the data they store and may never “use” or “disclose” that data as those terms are defined under HIPAA, cloud providers probably need to adhere to HIPAA breach notification requirements. There have also been indications of late that HHS may consider it advisable, if not required, that entities subject to the HIPAA Security Rule encrypt PHI data even when that data is at rest and not being transmitted electronically. The recent data breaches involving health plans Anthem and Premera highlight the vulnerability of health care data and may lead to additional pressure for providers to implement additional encryption measures.
Even if HIPAA rules do not apply to cloud service provider contracts, healthcare providers and health plans storing data on the cloud should be aware that many states now have privacy and breach notification laws which could come into play.
Finally, in addition to addressing the regulatory requirements and data privacy and security, a healthcare provider or health plan should negotiate appropriate service level terms with the cloud provider that address such issues as the performance requirements for the cloud network and the process and procedures for addressing problems with the cloud network. The healthcare provider or health plan should also include appropriate back-up and disaster recovery provisions in the contract with the cloud provider, as well as appropriate remedies in the event it suffers losses as a result of the contract.