Privacy group asks HHS to regulate the cloud

An advocacy group that endorses giving patients control over sensitive health information is asking the Office of Civil Rights for the Department of Health and Human Services to issue guidelines for regulating cloud computing.

“Health providers will benefit from such guidance as they consider moving to cloud services and patients will benefit by knowing which data privacy and security protections should be in place – both will undoubtedly help increase trust and drive adoption,” wrote Dr. Deborah Peel, founder of the Austin, Texas-based Patient Privacy Rights, in a Dec. 19 letter.

The letter cited the case of Phoenix Cardiac Care, which was fined $100,000 by HHS in April for failing to protect the security of Internet-based personal health information.

The privacy group said guidance should include several criteria:

• Secure infrastructure with safeguards, including comprehensive risk assessment by external auditors, data encryption, robust access controls, and measures that include intrusion detection and automated server management systems.
• Security standards that are consistent with federal medical privacy rules and health IT security breach notification requirements.
• Standards establishing the appropriate use, disclosure and safeguarding of protected health information.
• Standard privacy-protection requirements for Business Associate Agreements (BAA) between health-care providers and cloud-computing providers.

“To be clear, keeping information confidential and secure needs to be a top priority,” the letter said, “and more specific guidance in the health care ecosystem would help ensure that cloud providers, health care professionals and patients alike are aware of how the privacy and security rules apply to clouds.”