Spears Legal Technology


This blog is a resource guide for informational purposes only, and not the delivery of legal, technical or other professional advice. Using the information provided on this blog does not constitute an attorney-client relationship. If you need legal advice, please consult your lawyer.

NIST Guidelines on Security and Privacy in Public Cloud Computing

Last week I was asked if there was any law or regulation that would prevent a third party business associate (BA) from storing their customer’s Personal Health Information (PHI) in a cloud environment.

The short answer is no, but the more complex answer is that HIPAA holds BAs and their subcontractors to the same standards as the health care providers themselves. Thus it is critical that serious consideration is given to how the data is to be protected. In this case, the cloud provider would also be a BA and the agreement should reflect their responsibilities in securing the data and their duties if a breach does occur.

One source of guidance is
NIST 800-144: Guidelines on Security and Privacy in Public Cloud Computing. Here’s the abstract:

Cloud computing can and does mean different things to different people. The common characteristics most interpretations share are on-demand scalability of highly available and reliable pooled computing resources, secure access to metered services from nearly anywhere, and displacement of data and services from inside to outside the organization. While aspects of these characteristics have been realized to a certain extent, cloud computing remains a work in progress. This publication provides an overview of the security and privacy challenges pertinent to public cloud computing and points out considerations organizations should take when outsourcing data, applications, and infrastructure to a public cloud environment.


blog comments powered by Disqus