It’s 3 a.m., do you know where your patient’s data is?

07 November 2013 | Hemant Pathak , Assistant General Counsel, Microsoft

This week my Microsoft colleagues and I attended and participated in the U.S. News and World Report Hospital of Tomorrow conference in Washington, D.C. As part of the event, I served on a market insights panel which explored the ways hospitals and other healthcare organizations are leveraging technology to engage consumers through meaningful patient and provider interactions, privacy protections, and patient centered care.

This gave me the opportunity to talk about something I’m very passionate about - data privacy and security.

Currently, health organizations of all sizes and types possess enormous amounts of personal and sensitive information.  This includes not only HIPAA protected health information (PHI), but also sensitive financial, tax, HR, R&D information and much, much more.

Health organizations and their vendors have an unequivocal shared responsibility to protect the privacy and security of this data. As more organizations contemplate a move to the cloud, a formidable question for the CIO becomes, “How do I ensure that our organizations’ and our patients’ data is protected in a cloud environment?” At 3 a.m. you should know who has that data, where it is, and what they are doing with it.

So, how can a health organization have confidence that the vendors it works with and who store their information in a cloud environment will act as a trusted data steward when protecting that data?  Here are some top line items a C-Level healthcare organization executives should think about when selecting a cloud vendor:

Business Model – What is the business model of a cloud vendor? A vendor interested in data should have a business model where the revenue comes from the provision of the cloud services to a customer base, and revenue is not derived from your or your patient’s data for any secondary commercial purpose such as advertising.  HIPAA has very prescriptive requirements around PHI for any secondary uses. Cloud vendors must expressly spell out how they are using data as a business associate under HIPAA.  Proceed with caution if they are reluctant to do so.  However, HIPAA should be viewed as simply an entry point for considering a cloud vendor in the healthcare environment.  Given the broad range of sensitive information that a healthcare organization handles in addition to PHI, your cloud vendors should be adopting the same strict privacy and security standards across all of your data.

Design – Is the vendor cloud separately engineered to provide enterprise-class protections? Or is it a consumer-based service where data can be shared between enterprise and consumer services? Be wary of co-mingling as data in the cloud could potentially “rain” all over if enterprise and consumer cloud services are not logically separated by the vendor.

Regulatory Obligations – Does the cloud vendor explicitly comply with applicable privacy laws and regulations? What is that vendor’s track record? One best practice we have employed at Microsoft is engaging a cross section of the industry to evaluate our privacy and compliance posture. For example, we collaborated with Payers, Providers, and academic medical centers like Emory and Duke University, handed them a pen and asked them to help us draft a BAA that aligned our service offerings and capabilities to regulatory requirements and market expectations. This way our customers can be confident that our BAA was created with deep industry collaboration and academic medical center review. This process has since led to our BAA being signed and validated by many leading government, academic and commercial customers. Our BAA is currently helping hundreds of customers address HIPAA compliance requirements, while enabling them to enjoy all the security, cost savings, efficiencies and cross boundary collaboration benefits that Microsoft cloud solutions deliver. 

Transparent Contractual Terms – Do you understand what you are reading in the contact?  With all contracts, transparency is critical.  Commitments around privacy should be simple, clearly stated and easy for your lawyers and procurement personnel to find. They should not be obtuse, or require “a chase down a rabbit hole” of many links and documents. Vendors should agree to specific contractual protections, including: (1) use of customer data only to provide and manage the service for you; (2) no capturing, scanning, indexing, mining or use of your data for advertising or any other unauthorized secondary purpose; and (3) no mixing of consumer and enterprise cloud data. 

The cloud is a new frontier for many health organizations and in an industry where efficiency is paramount, the cloud can offer a lot of rewards.  Just make sure your cloud partner understands, and transparently shares the responsibility of being a trusted data steward for your and your patient’s data.

For further information regarding Microsoft’s commitments to cloud security, privacy and compliance transparency see: and

Hemant Pathak
Assistant General Counsel, Microsoft