Word on the street is that Google and Amazon have quietly started to offer business associate agreements (“BAAs”) to their healthcare customers using their cloud services. As you probably know, the Health Insurance Portability and Accountability Act (“HIPAA”) now requires that cloud providers comply with the HIPAA Security Rule if they process protected health information (“PHI”) on behalf of a covered entity, regardless of whether they sign a business associate agreement. So, while it is nice that these large cloud providers are beginning to execute such agreements, it is not a surprise, and it is probably to their benefit, as they will be responsible directly for HIPAA violations anyway, and such contracts offer them the opportunity to limit their liability as much as possible under the law.
Cloud providers are notorious for trying to disclaim as much liability as possible related to the services they provide. By entering into these business associate agreements, it gives them the opportunity to state, once again, exactly what they will be responsible for and what they will not. Further, Google stated publicly that if customers have not entered into a BAA with Google, they must not store PHI using Google services. I imagine their contracts reflect this idea—that they will not be responsible for protecting PHI about which they do not know.
Unless a company is a larger customer with a lot of leverage, most companies have little power to negotiate responsibility for losses with cloud service providers. Companies need to try to negotiate what cloud providers are responsible for, including what liabilities and at what levels. Companies should push to conduct their typical vendor audits with cloud providers. Some cloud providers will give representations as to outside security certifications, such as the Federal Information Security Management Act (FISMA), the International Organization for Standardization (ISO), and the Statement on Standards for Attestation Engagements (SSAE), which is helpful. Further, realize that cloud providers may be outsourcing your data to still other cloud service providers. Companies should therefore make sure that contracts with cloud providers, including BAAs, contemplate liability for downstream losses caused by subcontractors.