The health care industry relies on data. Physicians need data to make the proper diagnosis, and they increasingly need to share data with other providers. One way of making this data available to those who need it is to store it in the cloud. However, several data ownership issues must be addressed prior to entering into a service level agreement with a cloud storage provider.
For starters, the term data ownership seems to take on two separate meanings in the health care industry. On the surface, data ownership refers to the organization that the data belongs to. It is generally accepted that the organization that created the data is the data's owner.
The other definition has more to do with responsibility for the data. Those who are in possession of the data are responsible for the safe keeping of that information. In this regard, the data owner has the ability to view and to derive benefit from the data and, also, to make the data available to others.
With these definitions in mind, a number of issues must be considered before data can be outsourced to the cloud. One such issue is that of legal possession. When cloud storage first began to take hold, there were some rather unscrupulous cloud storage providers that tried to strong-arm customers into keeping their subscriptions indefinitely. They included provisions in the cloud service contracts essentially stating that any data stored on the cloud provider's servers became its property. In other words, if a customer decided to cancel its subscription, it would lose all its data.
Although this scam is not as widespread as it once was, it is something to watch out for. Make sure that, if you ever cancel your subscription with the cloud storage provider (or if the provider goes out of business), then you have a way of getting your data back -- and that your data will remain in a usable format.
Data ownership, possession and backup
As you will recall, the second definition of data ownership has to do with responsibility for the safe keeping of the data. Even though cloud service providers may not be the legal owners of the data, they possess the data and, therefore, have several responsibilities.
One of its primary responsibilities is access control. Cloud storage providers must isolate customer data -- that is, data should be accessible only to the organization that uploaded it.
Although employees of cloud storage providers should not have direct access to their customer’s data, providers do have a responsibility to ensure that the data is backed up -- and that the backups are maintained in a responsible manner that prevents data disclosure.
Several HIPAA requirements revolve around a patient's access to his or her records. Although the health care organization that created the records maintains ownership of the data, HIPAA guarantees patients the right to review and copy their medical records and the right to request that inaccuracies in medical records are corrected. (Meaningful use also requires health care providers to give patients an electronic version of a clinical summary of their doctor's visit within three business days.)
This requirement shouldn't usually be a problem, as patients should not be accessing the cloud directly to download their medical records. Even so, the data has to be stored in a way that allows providers to download copies of medical records to provide to patients. This requirement may sometimes impact an organization's choice of cloud storage providers.
Health care organizations must work with cloud storage providers to ensure that patients are able to receive the required information.
A similar issue that organizations must consider prior to storing data in the cloud is that HIPAA gives patients the right to know who has accessed their medical records in the past. As a result, you will have to determine who will be collecting and providing this information. The organization that created the data -- the data's legal owner -- is ultimately responsible for access logging, but the cloud provider may also bear some of the ownership burden, since it has physical possession of the data.
One last data ownership issue that may also come into play is that HIPAA gives patients the right to be informed of data handling practices of "medical practitioners and providers." This seemingly simple requirement can complicate things when data is moved to the cloud because cloud service providers may be reluctant to fully disclose their data handling practices.
In some ways, this requirement falls into a gray area. It applies to medical practitioners and providers. While a cloud storage provider is a provider, it is not necessarily a medical provider and, therefore, may not be subject to this regulation. Even so, as the data's legal owner, a health care organization is responsible for telling patients how their information is being handled. The health care organization must work with the cloud storage provider to ensure that patients are able to receive the required information.
All of these issues surrounding data ownership when health care data is stored in the cloud call for a close look. Because cloud storage is still relatively new, many issues still have to be sorted out. Even so, the HIPAA Security Rule states that covered entities that outsource some of their business processes to a third party must ensure that their vendors also have a framework in place to comply with HIPAA requirements.
It is important to keep the various aspects of data ownership in mind as you begin to formulate a cloud storage plan.
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. Write to him at firstname.lastname@example.org.