American Cloud Services for Canadian Healthcare Organizations

Cloud data storage appears to be a promising option for simplifying healthcare information management. However, most cloud service providers are located in the United States and are subject to different privacy laws and standards. What are the issues that Canadian healthcare organizations need to consider with regard to American cloud services?

For many healthcare organizations that store large volumes of personal data, cloud storage appears to be a promising opportunity. Why invest in secure servers, which take up space, require maintenance, and need to be replaced every few years, when it is possible, for a limited fee, to store data in a secure online database? Cloud storage seems cost-effective and convenient.

Most organizations are aware of some of the limitations of cloud storage. From a privacy perspective, one of the main issues is that cloud service providers are subject to the laws of the jurisdiction where they are based rather than the user’s jurisdiction. Most cloud storage providers are based in the United States, where the law effectively allows American government agencies to access any data deemed relevant to national security. American and Canadian privacy legislation and standards differ in many other ways as well. For Canadian healthcare organizations, this is clearly a privacy risk.

What are the obligations for American cloud providers supporting Canadian health data assets? As American companies attempt to capture more market share for cloud solutions, and as Canadian institutions seek to leverage the benefits of cloud solutions, it would be worthwhile for American cloud service providers to explore Canadian legislative obligations, standards, and contractual obligations. However, the current reality is that American cloud service providers are generally not in compliance with Canadian legal requirements and have no plans to achieve compliance. Canadian healthcare organizations considering using American cloud services should carefully consider how to remain in compliance with privacy legislation, contracts, and standards.

Legislative Obligations

Canadian organizations considering using American cloud services should consider the following basic legislative obligations (these are not comprehensive and should be supplemented by a Privacy Impact Assessment):

1. Healthcare organizations, as well as any cloud service provider, should have an identified Privacy officer.

2. Healthcare organizations, as well as cloud service providers, should have a privacy and security escalation process for addressing concerns or incidents.

3. Both healthcare organizations and cloud service providers should have a published privacy policy describing their role and obligations with regard to provincial and federal privacy legislation. In Ontario, the Personal Health Information Protection Act (PHIPA) is most relevant. Compliance with the Health Insurance Portability and Accountability Act (HIPAA) in the United States is not particularly relevant in the Canadian context, beyond demonstrating some level of privacy maturity. More importantly, HIPAA may not apply to non-US assets, as Canadian organizations have no access to US legal processes for enforcing its provisions.

Contractual Obligations

Canadian organizations using American cloud services will have to ensure that their contracts and agreements allow for data to be transferred into the United States. The data that health organizations hold does not belong to them, but rather to the individuals to whom the information pertains. Individuals’ personal information should not be transferred outside the country without their informed consent. For this reason, patients, clinicians, staff, and all organizational partners need to be well informed about how personal health information is managed and stored, and especially about who may have access to this information.


Starting from Canadian privacy and security standards, organizations considering using cloud services need to examine the specific service model in question: Software as a Service (SaaS), Platform as a Service (PaaS), or Infrastructure as a Service (IaaS). Users need to know who is administrating the system and is responsible for addressing problems, and who has access to the data. Depending on the specific service model, the following risks may need to be addressed:

1-      Risks related to loss of control due the externalization of system user identities, security, infrastructure, and services. Healthcare organizations that depend on cloud services for their daily operations can find themselves paralyzed in the event of access, log-in, or configuration difficulties, not to mention security breaches or service outages.

2-      Risks to the integrity of shared services. Healthcare organizations may use shared clouds, in which several partner organizations share a large database to which each user has customized access to specific records. Organizations must ensure that users and applications of other cloud clients do not have unauthorized access to personal health information. Because customized access is configured manually, there is a significant risk that users will be given access to information that they should not have; further, system administrators have access to all information in the cloud. Exclusive reliance on contractual arrangements to limit access to personal health information may be insufficient.

3-      Misalignment of privacy and security IT solutions. Cloud solutions not designed for personal health information may not have the robust authentication mechanisms that healthcare organizations require, including access limited to specific physical locations. Most healthcare organizations allow only on-site access to patient records, but most cloud service providers are not set up to ensure this.

4-      Difficulties with audit and control mechanisms. Data quality assurance is much more difficult with cloud services than when information is managed internally, as it is very difficult to determine whether serious errors in data are due to mistakes by the health organization’s staff or by the cloud service provider. Further, Canadian healthcare organizations do not usually have the resources or legal standing to be able to hold major American cloud service providers accountable for errors or breaches.

5-      Data loss and reliability. A cloud service provider’s ability to recover from failure needs to be tested before the provider can be entrusted with personal health information.

6-      Error correction and data integrity. Most cloud service contracts do not include correcting data errors. If the organization is to be responsible for all data entry and correction, forecasted savings on IT services may not be realized.

The use of American cloud services in Canadian healthcare is currently a new development, with many adoption difficulties still to be resolved. Canadian healthcare organizations need to be cognizant of the privacy and security implications of using cloud services. American cloud service providers are not subject to the same legal and regulatory obligations as Canadian healthcare organizations, and entrusting them with Canadians’ personal health information is not a matter to be taken lightly.


Cloud storage and tokenization: Privacy solution or privacy risk?