When I was giving my HIPAA seminar in three cities in Wisconsin recently, several seminar attendees said that they were in the process of switching to cloud computing and that they hadn’t really thought of the legal risks. The National Institute of Standards and Technology (“NIST”) defines cloud computing as a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources, such as networks, servers, storage, applications, and services, that can be rapidly provisioned and released with minimal management effort or cloud provider interaction. For a health care provider, stated more simply, cloud computing involves hosting your electronic health and other records in “the cloud” rather than on your server.
A public cloud is one in which the infrastructure and other computational resources that it consists of are made available to the general public over the internet. A cloud services provider owns it, and by definition, it is external to an organization. A private cloud is one in which the organization owns and operates the computing environment. Obviously, a private cloud gives the organization greater control over the infrastructure and computational resources.
As covered entities maintain and transmit more and more data electronically, cloud computing may become attractive and cost-effective. But it carries risks, both technical and legal. This post focuses on the legal risks, among which are the following:
- Cloud providers attempt to keep warranties to a minimum, often offering their services on an “as is” basis. They may reserve the right to suspend service in the event of downtime or other event. Having them suspend access to your electronic health record (“EHR”) could certainly result in bad patient outcomes.
- Many cloud computing contracts have indemnity clauses in which the user must indemnify (pay the cost of) any losses incurred concerning the cloud computing operations.
- Because cloud computing is international and your EHR may not be hosted within the United States, enforcing compliance with laws and regulations, such as HIPAA, may be problematic.
- The cloud providers may have different ideas from yours about to whom they may disclose the data. For example, a cloud provider may be more likely to permit a government inspection of the data than a covered entity would because the covered entity would (presumably) determine whether the governmental access fell within one of the disclosures authorized by HIPAA.
- What happens if the cloud provider goes out of business or, God forbid, goes bankrupt? Do you really want the bankruptcy trustee to decide whether you may access your EHR?
In a presentation titled “Computing (strike that — Litigation) in the Cloud,” Steven Teppler, senior counsel at KamberEdelson in New York, said that litigation concerning data stored in the cloud is already here. He said that users of cloud services will need to insist on service level agreement (“SLA”) terms with their providers to ensure legal and regulatory compliance, searchability, demonstrable customer care (security), provably persistent data integrity and reliability, and demonstrable storage security and integrity for electronically stored information in the cloud.
Covered entities contemplating cloud computing for their electronic health information would need to add to Mr. Teppler’s list the question of whether to get a business associate agreement in place with the cloud provider, something that Amazon or another large provider may be unlikely to enter into.
Stay tuned for more blog postings on cloud computing.