Healthcare providers, health plans, and other entities are increasingly utilizing cloud services to collect, aggregate, store and process data.  A recent report by IDC Health Insights suggests that 80 percent of healthcare data is expected to pass through the cloud by 2020.  As a substantial amount of healthcare data comprises “personal information” or “protected health information” (PHI), federal and state privacy and security laws, including the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act, raise significant questions for healthcare providers and health plans utilizing the cloud in connection with such data.  Such questions include whether HIPAA requirements extend to cloud providers, how and if entities storing health data on the cloud will be notified in case of a breach, and whether storage of data overseas by cloud providers triggers any additional obligations or concerns.

Given the complex legal issues at play, any contract between a healthcare provider or health plan and a cloud service provider that involves using the cloud in connection with PHI should therefore address the regulatory restrictions and requirements applicable to PHI.  By way of example, recent guidance from the HHS Office for Civil Rights suggests that health care providers must likely have a business associate agreement in place with their cloud service provider.  Moreover, although cloud providers might not regularly access the data they store and may never “use” or “disclose” that data as those terms are defined under HIPAA, cloud providers probably need to adhere to HIPAA breach notification requirements.  There have also been indications of late that HHS may consider it advisable, if not required, that entities subject to the HIPAA Security Rule encrypt PHI data even when that data is at rest and not being transmitted electronically.  The recent data breaches involving health plans Anthem and Premera highlight the vulnerability of health care data and may lead to additional pressure for providers to implement additional encryption measures.

Even if HIPAA rules do not apply to cloud service provider contracts, healthcare providers and health plans storing data on the cloud should be aware that many states now have privacy and breach notification laws which could come into play.

Finally, in addition to addressing the regulatory requirements and data privacy and security, a healthcare provider or health plan should negotiate appropriate service level terms with the cloud provider that address such issues as the performance requirements for the cloud network and the process and procedures for addressing problems with the cloud network.  The healthcare provider or health plan should also include appropriate back-up and disaster recovery provisions in the contract with the cloud provider, as well as appropriate remedies in the event it suffers losses as a result of the contract.

*Update: register to attend our webinar on this subject on Wednesday, May 13. 

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Anna D. Kraus Anna D. Kraus

Anna Durand Kraus advises on issues relating to the complex array of laws governing the health care industry. Her background as Deputy General Counsel to the U.S. Department of Health and Human Services (“HHS”) gives her broad experience with, and valuable insight into…

Anna Durand Kraus advises on issues relating to the complex array of laws governing the health care industry. Her background as Deputy General Counsel to the U.S. Department of Health and Human Services (“HHS”) gives her broad experience with, and valuable insight into, the programs and issues within the purview of HHS, including Medicare, Medicaid, fraud and abuse, and HIPAA privacy and security. Anna is co-chair of the firm’s Health Care Industry practice group.

Anna regularly advises clients on Medicare reimbursement matters, particularly those arising under Part B and the Part D prescription drug benefit. She also has extensive experience with the Medicaid Drug Rebate program. She assists numerous pharmaceutical and device manufacturers, health care providers, pharmacy benefit managers, and other health care industry stakeholders to navigate the challenges and opportunities presented by the Affordable Care Act.

Anna is a trusted adviser on health information privacy, security and breach notification issues, including those arising under the Health Insurance Portability and Accountability Act (“HIPAA”) and the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. Her background in this area dates back to the issuance of the original HIPAA privacy regulations.

Anna’s clients depend on her to guide them through compliance with the Anti-Kickback statute, the Stark regulations, and other laws preventing fraud and abuse in the health care industry. Her deep knowledge of these laws has made her an important component of the firm’s representation of pharmaceutical companies and health care organizations under federal investigation or facing allegations under the False Claims Act. In addition, clients contemplating acquisitions in the health care sector rely on her to guide due diligence efforts.

Photo of Ramy Ramadan Ramy Ramadan

Ramy Ramadan advises clients on their important strategic and complex transactions. His practice focuses on complex cross-border mergers and acquisitions, joint ventures and strategic investment transactions, as well as commercial and technology transactions and corporate governance, with particular experience in the energy &…

Ramy Ramadan advises clients on their important strategic and complex transactions. His practice focuses on complex cross-border mergers and acquisitions, joint ventures and strategic investment transactions, as well as commercial and technology transactions and corporate governance, with particular experience in the energy & infrastructure, technology, life sciences and F&B sectors.

Ramy also advises clients on project development and finance transactions. He has played a key role in structuring and financing many award-winning projects in the MENA region.

Ramy relocated from the Washington, DC office to the Dubai office in 2018.