Up until a couple of months ago, the National Health IT Board’s guidance (“Use of cloud or hosted services for managing health information”) stated that any health care provider holding personal health information in an identifiable form must have that information fully domiciled in New Zealand unless an exemption is granted to that provider by the Board. A number of providers we have spoken to have been concerned, as they already hold personal health information in (world-class) data centres or cloud based storage services located outside New Zealand. Why? Low cost, scalability and, importantly, the exceptional level of security that many overseas data centres and cloud based storage services are able to offer.
Should health care providers be concerned about the requirements under the guidance? Well, it depends. In my view, the guidance is somewhat unclear – I’m not aware of any legislation that requires cloud storage of personal health information to be domiciled in New Zealand, even though the guidance is drafted in mandatory terms. Yes, we have the Privacy Act 1993 and the Health Information Privacy Code 1994 but there is nothing in the Act or Code that makes it a legal obligation for personal health information to be domiciled in New Zealand. At best, I think the guidance is in place so that health care providers can act in a manner that follows good or best practice.
That said, there are compelling reasons why a health care provider might want to “comply” with the guidance. First, a government funded provider, or a provider providing services to a government funded customer, may need to comply with the guidance as a requirement of the relevant entity receiving funding. Second, they would be complying with a guidance issued effectively by the Ministry of Health, so that’s a big tick in the eyes of the Ministry, patients and customers. Third, if they seek an exemption and it’s granted, then at least they can be satisfied that their due diligence process on the overseas data centre or cloud based storage service was good enough for the Board (among other considerations) in granting the provider an exemption. However, one further issue for providers is that if an exemption is granted, they will need to maintain a copy or back up of all personal health information held in an identifiable form … domiciled in New Zealand.
So I started off this post with “up until a couple of months ago”. It’s pleasing to see that the Board has recently updated the guidance so that health care providers will not need to seek an exemption to hold personal health information overseas where they are using a product or service that the Ministry accepts as “fit for purpose”. So far, products and services that are “accepted” by the Ministry as “fit for purpose” are Oculo; Gallagher Bassett; Azure, Office 365 and Dynamics CRM (Microsoft), and Infosmart Web (Fisher & Paykel Healthcare). I’m sure that a number of other hosting or cloud service providers will appear on that list soon. Watch this space!