As with many acronyms and metaphorical references, "cloud computing" and SaaS (Software as a Service) are experiencing identity crises today.  Let me state for the record, and early in this post, that the two terms are not synonymous.  While utilizing the cloud for computer services such as data hosting is technically SaaS, SaaS does not necessarily exist in the cloud.  In fact, with health information, cloud computing is generally a bad idea and often violates HIPAA laws and the new HITECH regulations now strengthening HIPAA.

Lets say you choose to host protected health information (PHI) with a vendor operating in the cloud.  Do you have a guarantee that the data is not accessible by anyone other than a party with a "right" to view the data?  In most cases, the answer is "No".  Is the data vulnerable to attack due to being hosted on a shared server, meaning side-by-side with other, non-related data?  In may cases, the answer is "Yes".  While in-house data centers, or vendors hosting only PHI with signed HIPAA privacy and security agreements may also be vulnerable, it isn't hard to vet these vendors for full compliance with established privacy and security regulations.  HITECH outlines these pretty clearly here. But that isn't all that HITECH requires.  Along with these standards come a new, highly energized and tiered penalty structure for privacy and security violations.  In addition, all business associates are now required to have a formal Breach Notification Plan and HIPAA policies and procedures including employee training and formal designation of a HIPAA Privacy Officer, among other things.  Does "the cloud" reach this level of readiness, or does it even want to reach it?  The answer is, again, most likely "No". 

Lest I be criticized for raining on the cloud's parade, it will find its way and will most likely settle in over data not subject to such strict regulations, and that's fine.  In the meantime, in-house networks dedicated to hosting PHI will have a more vested interest in becoming HITECH compliant.  Some will meet the regulations with effort and attention and others will decide to opt out of the PHI business.  It will be interesting to watch.  Managing health information is not for the faint of heart any longer.  Let the cloud do what it does, and let those serious about security "to the letter of the law", assume your (and their) risk.  That's the smart play.... See article.