Cloud computing enables organizations of all types and sizes to operate more efficiently by allowing them to quickly and cost effectively outsource the operation and maintenance of their IT systems. However, the adoption of cloud computing appears to have been slower in the health care industry than in other sectors. While there is no single reason for this lag, concerns around whether cloud providers can comply with the stringent privacy and security regulations in the Health Insurance Portability and Accessibility Act (HIPAA) have affected the adoption of cloud services in this particular industry. Under HIPAA, health care providers, health plans and other "covered entities" are required to maintain the privacy and security of protected health information (PHI).
Subject to the privacy and security rules in HIPAA, covered entities are allowed to disclose certain information to “business associates," generally defined as persons who assist in the performance of functions or activities involving the use and/or disclosure of PHI, or any other activity covered by HIPAA (see 45 C.F.R. 160.103 for the full definition). HIPAA requires each covered entity to have a business associate agreement (BAA) in place to ensure that HIPAA requirements are met by each business associate and that PHI is used only for appropriate purposes. The Health Information Technology for Economic and Clinical Health (HITECH) Act passed in 2009 extended the privacy and security requirements of HIPAA and accompanying penalties to apply to business associates, and required the expanded HITECH rules to be included in BAAs. Therefore, covered entities and their counsel must carefully consider the legal implications involved when entering into a cloud services relationship with a business associate.
Unfortunately, unlike brick and mortar service providers, cloud providers have become accustomed to using "clickwrap" agreements. In these cases, a customer enters into a contract simply by clicking an “I Agree” or “OK” button, for the provision of services or the granting of a license to technology. Though few, if any, courts have addressed clickwrap BAAs specifically, clickwrap agreements are generally upheld as enforceable outside of the BAA context as long as they meet certain substantive and procedural requirements.