Electronic Healthcare Law Review: Health Professionals and Cloud Provider Agreements
With ever increasing requirements to create and safely maintain health information, health providers actually have, and are expected to have, more “information” than ever before. As such, it is no surprise that custodians of health information frequently turn to technology, for both creating and storing that information, in order to function effectively and efficiently. Of course, where there is evolving technology there are also inherent evolving risks and complications. From the inadvertent loss of health information to the unauthorized access for curiosity or for ulterior motives, to hacks, to ransomware, the risks seem to develop at a much faster rate than both the technology itself and the legislation that is enacted in an attempt to regulate or govern it.
But as the old adage states, without risk there can be no reward and the bene ts to use of technology, including the Cloud, cannot be ignored. The advantages of the Cloud are as massive as, well, the Cloud itself. In the health sector, such advantages include much needed cost savings and efficiency but more importantly, access to real time information, improvements to services and the ability to provide collaborative healthcare in a whole new manner. Given the advantages, it is no surprise that the health care sector is intent on making the Cloud work. However, it is naïve for a healthcare provider to think that he or she can blame a privacy breach on the technology alone and that this will offer protection against a College complaint, an investigation by the Privacy Commissioner or a civil claim for “intrusion upon seclusion.”As such, like healthcare decisions themselves, use of the Cloud for the storage and networking of health information requires proper and complete “informed consent.” This means, for health information custodians, compliance with applicable legislation (in Ontario, the Personal Health Information Protection Act, 2004 [“PHIPA”]), an understanding of the available options, and proper documentation or agreements.
For consumers or patients whose personal health information is stored in the Cloud, this means being provided with sufficient information about the steps taken to safeguard their personal health information in order to make informed choices about their personal health information.
As a starting point, it is important for health custodians to sift through the available information from and about Cloud data services providers, and to perform some level of due diligence. Looking at a provider’s history and speaking with some of their past and current customers would be a recommended first step. Other factors to consider are whether the business is owned or operated inside of Canada and where their data centre is actually physically located.
