Traditional Onsite Storage
Health information privacy laws require covered health care providers and payors as “covered entities” to protect the confidentiality, integrity and availability of ePHI. Traditionally, this has involved storing patient records and other PHI onsite, on systems controlled by the covered entity.
The benefit of onsite storage is that the covered entity can implement and enforce policies and procedures to control access and ensure confidentiality of the stored PHI, literally placing it under “lock and key.” The downside of onsite storage is that the PHI is housed in one location, vulnerable to power outages, fire, hurricanes and other natural disasters, and as the volume of PHI grows, maintaining enough onsite storage capacity may become costly. Additionally, such onsite storage may present significant obstacles for the covered entity when attempting to access PHI from other practice locations.
The Cloud Storage Commeth
Cloud computing is similar in many ways to a data warehousing solution and generally means that data in the “cloud” is stored on a network of servers that provide storage capacity for a “virtual environment” managed by the cloud storage vendor. Data stored in the cloud is accessible anywhere there is an internet connection, and the cloud vendor typically maintains firewalls, backup and disaster recovery procedures, alternate power management and other mechanisms to significantly reduce any possibility of data loss. The cloud vendor also controls who has access to the data, where the data is physically located and how the data is segregated from other data on the shared server network.
The servers used for cloud storage may be distributed over a number of physical locations (including internationally) and the virtual environment is accessed, in a “public cloud,” by multiple clients of the cloud vendor that share space on the network of servers. The cloud vendor is responsible for ensuring careful segregation of each client’s data to prevent unauthorized access by one client to another client’s data, and for security purposes. The cloud storage model is more vulnerable to attacks than onsite storage as hackers may attempt to access the data from the Internet and are tempted to do so with a significant amount of data from multiple parties being stored on the shared server network. Along with firewalls, antivirus software and a number of other defensive tools available to cloud vendors, segregating client data reduces vulnerability to a successful breach.
In this piece we focus on the “public” or “shared” cloud model, with multiple clients sharing space on the cloud server network. “Private” clouds are also available that offer dedicated cloud server space for a particular client.
 45 C.F.R. § 164.306(a).
Clay B. Wortham
McBrayer, McGinnis, Leslie & Kirkland, PLLC