Storing health information on the cloud?

Patient health information has traditionally been stored in a paper file in the doctor’s draw or on a local hard drive.

But as online storage solutions mature, doctors and health organisations are now asking whether health information can be stored on the cloud.

What is the cloud?

Put simply, the cloud is a network of software and servers (often in a number of different locations) that run on the internet. Data is digitised and uploaded to a remote server. That data can then be downloaded or delivered to the user upon request, on any authorised device. Common examples include iCloud, Google Drive and Dropbox.

The key advantages of the cloud are that: users can access stored information on any device with an internet connection; and information can be ‘locked’ in the cloud so it cannot be accessed if the local hard drive is hacked.

However, there are also real risks, including that information stored online could fall into the wrong hands.

Can you store health information on the cloud?

The short answer is yes, as long as the correct protections are in place. Ultimately it is a matter for the health provider or organisation to decide whether the benefits of cloud-based storage outweigh the risks.

Australian privacy law and the cloud

The Privacy Act 1988 (Cth) (the Act) regulates management and use of personal information (which includes health information) in Australia. Doctors practising privately and organisations that provide a health service or hold health information are required to comply with the Act and the Australian Privacy Principals (APPs) and are classified as APP Entities.

Before transferring personal information to the cloud, APP Entities should obtain patient consent. A tick-box on the patient information collection form will generally suffice.

APP Entities are also required take reasonable steps to protect personal information held from misuse, interference, loss, unauthorised access, modification or disclosure. These obligations apply whether personal information is stored on paper, a hard-drive, or on the cloud.

It is important to note that if a cloud provider breaches the APPs, the APP Entity that holds that personal information may be held accountable.

What should you check before joining the cloud?

• Check the cloud provider complies with the Act and APPs;
• Check the personal (including health) information remains in your ‘effective control’;
• Check the information is provided to the cloud provider for the limited purpose of storage of data and/or to provide access to you;
• Ensure the cloud provider has appropriate insurance, including cyber insurance;
• Check whether information will be stored on international servers, and if so, make sure the APP obligations that govern cross-border transfer of information have been met;
• Ensure there is a binding contract between you and the cloud provider requiring it (and its subcontractors) to handle the personal information in accordance with the APPs;
• Check you are happy with the terms and conditions of data storage, including that the cloud provider does not have a right to use or disclose the information it holds to third parties; and
• Have a system in place to monitor the cloud provider’s performance on an ongoing basis.

Other privacy obligations

Whether storing personal information in paper files or on the cloud, the other APPs continue apply. These obligations include to:

• Ensure your own practice complies with the Act and APPs;
• Keep backups of personal information;
• Obtain appropriate consent from patients in relation to how personal information is handled, stored, used and disclosed;
• Only disclose personal information for the primary purpose for which it was collected;
• Take active measures to ensure the security of the personal information; and
• Destroy or de-identify personal information you hold once it is no longer needed.

Need further advice?

If you are considering cloud-based storage, our team can provide tailored advice about your obligations and the steps you must take before transferring personal information to the cloud.

This article was written by Karen Keogh, Partner and Chelsea Gordon, Associate.