Attorney: Cloud Services Offer Affordable Solutions but Raise Privacy, Security Risks

Bloomberg BNA's Health IT Law & Industry Report brings you concise, comprehensive, and timely news and analysis of the regulatory, legal, and compliance issues surrounding our nation’s...

While cloud computing services offer affordable technology and data management solutions for health care providers—particularly small providers—attorneys are advising hospitals and physicians to be aware of the privacy and security risks to protected health information that also come with cloud computing.

Attorney Joseph I. Rosenbaum, with Reed Smith in New York, told BNA that he advises health care providers who are considering the benefits of cloud computing for their practices to also consider the privacy and security concerns related to cloud computing services and to address those concerns in contract negotiations with cloud services providers.

Of particular concern, Rosenbaum cautioned, are health care providers' and, possibly, cloud services providers' obligations under the Health Insurance Portability and Accountability Act.

Health care providers have obligations as HIPAA-covered entities to comply with HIPAA Privacy and Security rules, and cloud services providers may also have similar compliance obligations as business associates under new requirements (yet to be finalized in rulemaking) that were mandated in the Health Information Technology for Economic and Clinical Health (HITECH) Act.

However, Rosenbaum said, health care entities contracting for technology services, such as cloud computing services, may not pay attention as much as they should to the obligations of their contractors under HIPAA, and cloud service providers may not know they have HIPAA compliance obligations.

Cloud services providers that ultimately meet the definition of business associates under HIPAA requirements could argue they did not know about their obligations under the statute and had no reason to know. But, Rosenbaum said, at some point in a highly regulated environment such as health care, cloud services providers contracting with health care entities likely would be expected to ask about their obligations.

Contract Considerations.

Rosenbaum said that a chapter on cloud computing in health care that appears in a recent white paper—Transcending the Cloud: A Legal Guide to the Risks and Rewards of Cloud Computing—that he authored with Reed Smith attorney Vicky G. Gormanly was written to raise some of the questions health care providers and technology services providers should be considering in transactions with one another.

For example, he said, questions health care providers seeking technology services should consider include whether they have an obligation to explain to cloud services providers their HIPAA compliance obligations, or do cloud services providers have an obligation to ask about the businesses of their clients and seek on their own to understand compliance requirements that might affect their contracts.

Health care providers also should consider the business associate obligations their cloud services providers might have under HIPAA, even though it is not clear under what circumstances cloud services providers would be considered a business associate, Rosenbaum and Gormanly wrote in the white paper.

“Generally, a business associate is a person or organization, other than a member of a covered entity's workforce, that performs certain functions or activities on behalf of, or provides services to, a covered entity that involves the use or disclosure of individually identifiable health information,” the attorneys wrote in the paper.

Rosenbaum noted that the Department of Health and Human Services Office for Civil Rights in a proposed HIPAA rule covering business associate obligations expressly said that entities that facilitate the transmission of data were considered to be business associates. He said that by that definition many cloud services providers could likely be considered business associates and be required to comply with HIPAA rules. That also would mean covered entities might consider whether they should enter into business associate agreements with cloud services providers that cover HIPAA obligations.

Regarding contracting, Rosenbaum said in many cases there is concern about liability and risk management on the part of cloud services providers and that the starting point for those companies in contract negotiations with health care providers is that it is the responsibility primarily of health care entities to comply with the federal rules governing the health care industry.

However, he said successful contracts between health care providers and cloud services companies strike the right balance to ensure both parties take the right steps to comply with federal rules and to protect the privacy and security of health care data.

By Kendra Casey Plank