Healthcare providers, health plans, and other entities are increasingly utilizing cloud services to collect, aggregate, store and process data.  A recent report by IDC Health Insights suggests that 80 percent of healthcare data is expected to pass through the cloud by 2020.  As a substantial amount of healthcare data comprises “personal information” or “protected health information” (PHI), federal and state privacy and security laws, including the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act, raise significant questions for healthcare providers and health plans utilizing the cloud in connection with such data.  Such questions include whether HIPAA requirements extend to cloud providers, how and if entities storing health data on the cloud will be notified in case of a breach, and whether storage of data overseas by cloud providers triggers any additional obligations or concerns.

Given the complex legal issues at play, any contract between a healthcare provider or health plan and a cloud service provider that involves using the cloud in connection with PHI should therefore address the regulatory restrictions and requirements applicable to PHI.  By way of example, recent guidance from the HHS Office for Civil Rights suggests that health care providers must likely have a business associate agreement in place with their cloud service provider.  Moreover, although cloud providers might not regularly access the data they store and may never “use” or “disclose” that data as those terms are defined under HIPAA, cloud providers probably need to adhere to HIPAA breach notification requirements.  There have also been indications of late that HHS may consider it advisable, if not required, that entities subject to the HIPAA Security Rule encrypt PHI data even when that data is at rest and not being transmitted electronically.  The recent data breaches involving health plans Anthem and Premera highlight the vulnerability of health care data and may lead to additional pressure for providers to implement additional encryption measures.

Even if HIPAA rules do not apply to cloud service provider contracts, healthcare providers and health plans storing data on the cloud should be aware that many states now have privacy and breach notification laws which could come into play.

Finally, in addition to addressing the regulatory requirements and data privacy and security, a healthcare provider or health plan should negotiate appropriate service level terms with the cloud provider that address such issues as the performance requirements for the cloud network and the process and procedures for addressing problems with the cloud network.  The healthcare provider or health plan should also include appropriate back-up and disaster recovery provisions in the contract with the cloud provider, as well as appropriate remedies in the event it suffers losses as a result of the contract.

*Update: register to attend our webinar on this subject on Wednesday, May 13. 

Print:
EmailTweetLikeLinkedIn
Photo of Paige Jennings Paige Jennings

Paige Jennings is an associate in Covington’s Washington office. She works with the firm’s Federal–State Programs, Health Care, Antitrust, and Litigation practice groups. Ms. Jennings joined the firm after a number of years working on health policy matters in the government and private…

Paige Jennings is an associate in Covington’s Washington office. She works with the firm’s Federal–State Programs, Health Care, Antitrust, and Litigation practice groups. Ms. Jennings joined the firm after a number of years working on health policy matters in the government and private sectors. Prior to earning her law degree and Master of Public Affairs, she worked in the U.S. Senate for over four years, advising Senators John Breaux and Tom Carper on health and social policy matters. Ms. Jennings later handled federal health policy issues at WellPoint, Inc. During law school, she worked with the U.S. Office of Management and Budget during consideration of the Affordable Care Act, and with the Federal Trade Commission for then-Chairman Jon Leibowitz.

Photo of Anna D. Kraus Anna D. Kraus

Anna Durand Kraus has a multi-disciplinary practice advising clients on issues relating to the complex array of laws governing the health care industry. Her background as Deputy General Counsel to the U.S. Department of Health and Human Services (HHS) gives her broad experience…

Anna Durand Kraus has a multi-disciplinary practice advising clients on issues relating to the complex array of laws governing the health care industry. Her background as Deputy General Counsel to the U.S. Department of Health and Human Services (HHS) gives her broad experience with, and valuable insight into, the programs and issues within the purview of HHS, including Medicare, Medicaid, fraud and abuse, and health information privacy. Ms. Kraus regularly advises clients on Medicare reimbursement matters, the Medicaid Drug Rebate program, health information privacy issues (including under HIPAA and the HITECH Act), and the challenges and opportunities presented by the Affordable Care Act.

Photo of Ramy Ramadan Ramy Ramadan

Ramy Ramadan’s practice focuses on mergers and acquisitions and project development and finance transactions. Mr. Ramadan also advises clients on general corporate matters, securities offerings, and technology and IP transactions.

Photo of Lee Tiedrich Lee Tiedrich

Lee Tiedrich brings together an undergraduate education in electrical engineering and over twenty years of legal experience to assist clients on a broad range of intellectual property and technology transaction matters. Her work spans several industries, including ehealth, life sciences, consumer products, communications…

Lee Tiedrich brings together an undergraduate education in electrical engineering and over twenty years of legal experience to assist clients on a broad range of intellectual property and technology transaction matters. Her work spans several industries, including ehealth, life sciences, consumer products, communications and media. She counsels both private and public companies, as well as venture capital firms and corporate venture groups in their investments. Ms. Tiedrich has extensive experience negotiating complex intellectual property acquisition, licensing, and development agreements, and regularly counsels clients on strategic issues, such as developing and maintaining intellectual property portfolios and evaluating and addressing intellectual property-related assets and risks.