Patient privacy concerns loom large as providers shift to the cloud

The cloud is all the rage today, and healthcare providers are storing personal health information (PHI) on remote servers for an increasing variety of purposes. In a commentary on iHealthBeat, healthcare attorneys Bruce Merlin Fried and Rebecca Fayed urge doctors and hospitals to consider the HIPAA implications of dealing with "computer cloud providers."

HIPAA regulations make healthcare providers responsible for obtaining assurances from their "business associates" that they will safeguard PHI that providers disclose to them. For an electronic health records (EHR) vendor that serves its product remotely, it's obviously a bad business move to violate this admonition. But there are many other cloud providers who just store data and have clients outside the healthcare industry. Fried and Fayed, thus, recommend that healthcare entities obtain written business associate agreements from every cloud provider they use.

That's sound advice; but what of companies that don't want to sign such agreements because they don't regard themselves as business associates? Two examples that spring to mind are Google Health and Microsoft HealthVault, which steadfastly have denied that they're business associates of providers. They've done that even though both have solicited clinical data from Day 1 to help populate their personal health records (PHRs) and make them more valuable to consumers. Both have deals with prominent health systems for clinical data, and Microsoft has also said it's open to providers transferring records to HealthVault using the Direct protocol.

In 2009, the American Recovery and Reinvestment Act (ARRA) amended the HIPAA statute to define PHR vendors as business associates. A recently proposed amendment to the HIPAA law reiterates that fact. But Microsoft and Google still apparently regard themselves as beyond the reach of the law.

It will be interesting to see what happens when somebody's PHI is hacked out of their HealthVault or Google PHR. Will the government prosecute the doctor or hospital that provided that information?

To learn more:
- read the iHealthBeat commentary
- see the government's proposed HIPAA amendments (.pdf)
- check out this article on BNET about Google and HealthVault from 2009